dcrat | 15139406fca568204341ef903357632505d84388995e2a2f74ef5fa218fc5232

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_15139406fca568204341ef903357632505d84388995e2a2f74ef5fa218fc5232.exe
Size

1.3MB
MD5

5d26a3bcf1722843cdc95a288e8f84ca
SHA1

b07f6c2d58ffe377cc6ee1f985074137b93897ae
SHA256

15139406fca568204341ef903357632505d84388995e2a2f74ef5fa218fc5232
SHA512

cf974a863d9cc3543c20810ee53177067dd29f3de299bc1765e6037aeb5d89cbe189f8dfc5ea2e84256e87d88f2cd36d7162f840a81df7ae298a235dce5724aa
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	1908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1908	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019377-11.dat	dcrat
behavioral1/memory/2856-13-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat
behavioral1/memory/2580-46-0x0000000000E40000-0x0000000000F50000-memory.dmp	dcrat
behavioral1/memory/572-167-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat
behavioral1/memory/2340-406-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/768-466-0x0000000000BC0000-0x0000000000CD0000-memory.dmp	dcrat
behavioral1/memory/1976-526-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/748-586-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/540-647-0x0000000000E10000-0x0000000000F20000-memory.dmp	dcrat
behavioral1/memory/1916-707-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/356-768-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1848	powershell.exe
828	powershell.exe
1520	powershell.exe
1364	powershell.exe
1708	powershell.exe
1744	powershell.exe
2560	powershell.exe
1668	powershell.exe
1704	powershell.exe
2040	powershell.exe
1812	powershell.exe
692	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2856	DllCommonsvc.exe
2580	lsm.exe
572	lsm.exe
236	lsm.exe
2888	lsm.exe
2168	lsm.exe
2340	lsm.exe
768	lsm.exe
1976	lsm.exe
748	lsm.exe
540	lsm.exe
1916	lsm.exe
356	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
1428	cmd.exe
1428	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
35	raw.githubusercontent.com
39	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
28	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\ja-JP\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\es-ES\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\es-ES\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\sppsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PLA\System\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\System\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_15139406fca568204341ef903357632505d84388995e2a2f74ef5fa218fc5232.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2704	schtasks.exe
2980	schtasks.exe
2948	schtasks.exe
2508	schtasks.exe
2584	schtasks.exe
2848	schtasks.exe
536	schtasks.exe
1380	schtasks.exe
2000	schtasks.exe
2944	schtasks.exe
2488	schtasks.exe
2592	schtasks.exe
1836	schtasks.exe
1100	schtasks.exe
2792	schtasks.exe
2124	schtasks.exe
2068	schtasks.exe
2240	schtasks.exe
1300	schtasks.exe
1612	schtasks.exe
1044	schtasks.exe
872	schtasks.exe
2504	schtasks.exe
1920	schtasks.exe
2424	schtasks.exe
2548	schtasks.exe
2708	schtasks.exe
3016	schtasks.exe
1156	schtasks.exe
2640	schtasks.exe
1768	schtasks.exe
2692	schtasks.exe
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2856	DllCommonsvc.exe
2856	DllCommonsvc.exe
2856	DllCommonsvc.exe
2856	DllCommonsvc.exe
2856	DllCommonsvc.exe
1708	powershell.exe
1520	powershell.exe
1364	powershell.exe
1848	powershell.exe
1812	powershell.exe
2040	powershell.exe
1744	powershell.exe
2580	lsm.exe
692	powershell.exe
828	powershell.exe
1704	powershell.exe
1668	powershell.exe
2560	powershell.exe
572	lsm.exe
236	lsm.exe
2888	lsm.exe
2168	lsm.exe
2340	lsm.exe
768	lsm.exe
1976	lsm.exe
748	lsm.exe
540	lsm.exe
1916	lsm.exe
356	lsm.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	DllCommonsvc.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2580	lsm.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	572	lsm.exe
Token: SeDebugPrivilege	236	lsm.exe
Token: SeDebugPrivilege	2888	lsm.exe
Token: SeDebugPrivilege	2168	lsm.exe
Token: SeDebugPrivilege	2340	lsm.exe
Token: SeDebugPrivilege	768	lsm.exe
Token: SeDebugPrivilege	1976	lsm.exe
Token: SeDebugPrivilege	748	lsm.exe
Token: SeDebugPrivilege	540	lsm.exe
Token: SeDebugPrivilege	1916	lsm.exe
Token: SeDebugPrivilege	356	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 824	1796	JaffaCakes118_15139406fca568204341ef903357632505d84388995e2a2f74ef5fa218fc5232.exe	30
PID 1796 wrote to memory of 824	1796	JaffaCakes118_15139406fca568204341ef903357632505d84388995e2a2f74ef5fa218fc5232.exe	30
PID 1796 wrote to memory of 824	1796	JaffaCakes118_15139406fca568204341ef903357632505d84388995e2a2f74ef5fa218fc5232.exe	30
PID 1796 wrote to memory of 824	1796	JaffaCakes118_15139406fca568204341ef903357632505d84388995e2a2f74ef5fa218fc5232.exe	30
PID 824 wrote to memory of 1428	824	WScript.exe	31
PID 824 wrote to memory of 1428	824	WScript.exe	31
PID 824 wrote to memory of 1428	824	WScript.exe	31
PID 824 wrote to memory of 1428	824	WScript.exe	31
PID 1428 wrote to memory of 2856	1428	cmd.exe	33
PID 1428 wrote to memory of 2856	1428	cmd.exe	33
PID 1428 wrote to memory of 2856	1428	cmd.exe	33
PID 1428 wrote to memory of 2856	1428	cmd.exe	33
PID 2856 wrote to memory of 1364	2856	DllCommonsvc.exe	68
PID 2856 wrote to memory of 1364	2856	DllCommonsvc.exe	68
PID 2856 wrote to memory of 1364	2856	DllCommonsvc.exe	68
PID 2856 wrote to memory of 1708	2856	DllCommonsvc.exe	69
PID 2856 wrote to memory of 1708	2856	DllCommonsvc.exe	69
PID 2856 wrote to memory of 1708	2856	DllCommonsvc.exe	69
PID 2856 wrote to memory of 1848	2856	DllCommonsvc.exe	70
PID 2856 wrote to memory of 1848	2856	DllCommonsvc.exe	70
PID 2856 wrote to memory of 1848	2856	DllCommonsvc.exe	70
PID 2856 wrote to memory of 2560	2856	DllCommonsvc.exe	72
PID 2856 wrote to memory of 2560	2856	DllCommonsvc.exe	72
PID 2856 wrote to memory of 2560	2856	DllCommonsvc.exe	72
PID 2856 wrote to memory of 1744	2856	DllCommonsvc.exe	73
PID 2856 wrote to memory of 1744	2856	DllCommonsvc.exe	73
PID 2856 wrote to memory of 1744	2856	DllCommonsvc.exe	73
PID 2856 wrote to memory of 692	2856	DllCommonsvc.exe	74
PID 2856 wrote to memory of 692	2856	DllCommonsvc.exe	74
PID 2856 wrote to memory of 692	2856	DllCommonsvc.exe	74
PID 2856 wrote to memory of 1812	2856	DllCommonsvc.exe	75
PID 2856 wrote to memory of 1812	2856	DllCommonsvc.exe	75
PID 2856 wrote to memory of 1812	2856	DllCommonsvc.exe	75
PID 2856 wrote to memory of 828	2856	DllCommonsvc.exe	77
PID 2856 wrote to memory of 828	2856	DllCommonsvc.exe	77
PID 2856 wrote to memory of 828	2856	DllCommonsvc.exe	77
PID 2856 wrote to memory of 1520	2856	DllCommonsvc.exe	79
PID 2856 wrote to memory of 1520	2856	DllCommonsvc.exe	79
PID 2856 wrote to memory of 1520	2856	DllCommonsvc.exe	79
PID 2856 wrote to memory of 2040	2856	DllCommonsvc.exe	80
PID 2856 wrote to memory of 2040	2856	DllCommonsvc.exe	80
PID 2856 wrote to memory of 2040	2856	DllCommonsvc.exe	80
PID 2856 wrote to memory of 1704	2856	DllCommonsvc.exe	82
PID 2856 wrote to memory of 1704	2856	DllCommonsvc.exe	82
PID 2856 wrote to memory of 1704	2856	DllCommonsvc.exe	82
PID 2856 wrote to memory of 1668	2856	DllCommonsvc.exe	83
PID 2856 wrote to memory of 1668	2856	DllCommonsvc.exe	83
PID 2856 wrote to memory of 1668	2856	DllCommonsvc.exe	83
PID 2856 wrote to memory of 2580	2856	DllCommonsvc.exe	92
PID 2856 wrote to memory of 2580	2856	DllCommonsvc.exe	92
PID 2856 wrote to memory of 2580	2856	DllCommonsvc.exe	92
PID 2580 wrote to memory of 1484	2580	lsm.exe	94
PID 2580 wrote to memory of 1484	2580	lsm.exe	94
PID 2580 wrote to memory of 1484	2580	lsm.exe	94
PID 1484 wrote to memory of 2704	1484	cmd.exe	96
PID 1484 wrote to memory of 2704	1484	cmd.exe	96
PID 1484 wrote to memory of 2704	1484	cmd.exe	96
PID 1484 wrote to memory of 572	1484	cmd.exe	97
PID 1484 wrote to memory of 572	1484	cmd.exe	97
PID 1484 wrote to memory of 572	1484	cmd.exe	97
PID 572 wrote to memory of 1560	572	lsm.exe	98
PID 572 wrote to memory of 1560	572	lsm.exe	98
PID 572 wrote to memory of 1560	572	lsm.exe	98
PID 1560 wrote to memory of 2452	1560	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_15139406fca568204341ef903357632505d84388995e2a2f74ef5fa218fc5232.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_15139406fca568204341ef903357632505d84388995e2a2f74ef5fa218fc5232.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\es-ES\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\System\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Users\Public\Documents\My Music\lsm.exe
        
        "C:\Users\Public\Documents\My Music\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2704
        
        C:\Users\Public\Documents\My Music\lsm.exe
        
        "C:\Users\Public\Documents\My Music\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2452
        
        C:\Users\Public\Documents\My Music\lsm.exe
        
        "C:\Users\Public\Documents\My Music\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat"
        10⤵
        
        PID:1712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:976
        
        C:\Users\Public\Documents\My Music\lsm.exe
        
        "C:\Users\Public\Documents\My Music\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat"
        12⤵
        
        PID:3044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2232
        
        C:\Users\Public\Documents\My Music\lsm.exe
        
        "C:\Users\Public\Documents\My Music\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
        14⤵
        
        PID:1592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2300
        
        C:\Users\Public\Documents\My Music\lsm.exe
        
        "C:\Users\Public\Documents\My Music\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"
        16⤵
        
        PID:2752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3020
        
        C:\Users\Public\Documents\My Music\lsm.exe
        
        "C:\Users\Public\Documents\My Music\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat"
        18⤵
        
        PID:3024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1844
        
        C:\Users\Public\Documents\My Music\lsm.exe
        
        "C:\Users\Public\Documents\My Music\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
        20⤵
        
        PID:3036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2532
        
        C:\Users\Public\Documents\My Music\lsm.exe
        
        "C:\Users\Public\Documents\My Music\lsm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat"
        22⤵
        
        PID:2400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1100
        
        C:\Users\Public\Documents\My Music\lsm.exe
        
        "C:\Users\Public\Documents\My Music\lsm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat"
        24⤵
        
        PID:860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2008
        
        C:\Users\Public\Documents\My Music\lsm.exe
        
        "C:\Users\Public\Documents\My Music\lsm.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"
        26⤵
        
        PID:1044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1748
        
        C:\Users\Public\Documents\My Music\lsm.exe
        
        "C:\Users\Public\Documents\My Music\lsm.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Music\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Music\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\System\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d83c653fcfbda4db22c2449a844f4d17

SHA1
880c1602ad28189d7492b6575b3620a209a37052

SHA256
8ab8e7163482cdfab675f303ead9fecdd5689c2279b1ae46e22e185fe13eeecd

SHA512
9c9e8ab2afaa2ee7ae374655c4b9fe8bdb29a971caec56d095a54abef29fac35a1d37ffc31d25057258cbd2179820470bc86e1ffd6dd30409bec4f26ffb042ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c17a1ff33ff1a44c74b9fbd3a97e4c98

SHA1
f30a9b4b1ce9b5f1aea7d3d264f6057ff9f83655

SHA256
a7b9ad256aadd8a631772d285f5a0cd1ae4d44dfef1beace5e5cca1cf3ca60a4

SHA512
bfea8fbc3d4c5e3c10c671220580c9ad4352ad633ef287acc55f3cbb8499693bf687dda06114502a127e3c677e1ef26f7905d566ee023a73731efcd3317f2b95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8f48b4000abc2ee247773ec63bc7508

SHA1
b7faecbf7d1ef247dd31dc075b7043636d890e38

SHA256
c33fa7c2886929040019a0a8deb08886550c60f692a299c3bf9c53d0f7d7b633

SHA512
fee173d4cd6495a3514dccf17553474aad519e199c3fec294acfbab7879744a7380bed75ebaaf68ddd9c1936f897ca28e9120265b0a60d282b8889adf0f013be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
322d05e79973ba1f988397779692ddca

SHA1
1f764e7a5c178b98ff77a5281d7fbf670ace5aa4

SHA256
e7ff6803689c74cea90613b0ee38301ea777668693ad3ee94f98e209f7e4f74d

SHA512
1daaf31b6095698637b565f1c94de3731dc03158daebb339ae77a3f7f3826e6aa572ae34974fed3871f05f437fb0d2cb96ce3b6ae1ccbfab55f64c3513ea63c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27e3056bdaf7117e46a89d0c07bd89a5

SHA1
f51026b5ff6e76e1a8703225b06508729c395635

SHA256
773fb3f7b929a03e7d5fe4d546552222a2e0db33549008e1c33b0641c303bc37

SHA512
7dd4004f220e58d508a272dddbf960a45f7864cc79a5e6fe08f10fc0113ccfac8ec61b6d83917b995876dbbbbb48940c245e108545e2548e6e471fd115b23411

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
169e8ee68b7d0b800ac7c053e2dd7306

SHA1
7a5b240acbb65bf3611ec38aa23c4084cf37f8c5

SHA256
73fc6559286652adfae3525fb20cdc234b4eb681b0d743f5bbf0baddbf7c2124

SHA512
8e626e2a8a3916240e61084553695eee50b33b6eee1e00a9a80d3ad1513fc0066ac54ecbd0fe721938e66c13b6fbaeb41b64ff154170d70d42a23128139c27a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ff1c576dded4e261e39ce47fa472859

SHA1
f9b8d1af95aeaaf6fc822ac61ba4106033667642

SHA256
d232c998a418d77a283dfbc23068231214e7fe2567eb7c790c691258d2c88a2b

SHA512
838f74fdf0757eebba6989e9018939e57ee57cc30f135d8c1b5cb185c2dd4603bb9abd20ffa5b66405649255f5ad5c5fa7dcdc51d921ad268a31c8f1bb8c6146

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
339beee288797aa6b8f3aedb836af0ce

SHA1
5cf7d6d441a792705a97241ac0d83e699a8c1c2e

SHA256
7d837042bdc0902bc20834a880257b1a9ff8917b4c5a4111c929a0e2735e0227

SHA512
006b2316dfdff95321f07f8af2dbb7dcca75c3271921c603cdbc864d1c5d45b5bafddc647975f351fbe5e7ccd6f07c9880defca1f4fcccd802bb68079f14b13b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91b98ec2ba784382365d0a88da98ed1e

SHA1
a6c423fe8f479edfb5f3067caaa37130e704ac31

SHA256
5f4a4e7f38055afe540e4ffa8b3c352d569c3a3aed4cc327b0384a075dbd7ffa

SHA512
fab9fcf99c77331d01caa5c9876b06f510338a94c2916679966df2add1dbffedb13fcaef35c8893b646927660341661ef8d72939345afcee1384b9e1e68b609f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddd4a0978420a99114aa3f70c2caabae

SHA1
aac51a57e27e2ab2caf5c174f71cde2e54d99b2c

SHA256
5b8c800dba65bdb856fdbcdc4bc2b7530656422b804be492bff8c7731bbbee4c

SHA512
0b514be14f2aa179cbd2a02e7ce36ccc1cd29e8b65ec5a01cdd1e29d14ac4a3272f55e0bd9ee0695400f95ce647394c01062762de97fea49687664e202087d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat

Filesize
207B

MD5
b840e432540acc286d0601d3ead59bf0

SHA1
f01d80c6242b36845470001f15311ba60fce3d0f

SHA256
734d09c5ff46727f080271cdc7d5bba969d6014613840e5c35594c30887b54bd

SHA512
4d9dd0a9e93eb60ae1203181709b5c085b416700aef5982d9bf03a050bfe37fe0c4d1d078e90a2afb8fa23b68f7f49c7089e01ee3e34c05fad8793c9fe589262

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

Filesize
207B

MD5
c5025794a27f8e94046528f4bf5bb164

SHA1
36ca6b4b727df1a28bfb41e1727116e26730ab60

SHA256
27e3c94521d4ae67f160cb53e68a0218b4f2ef25ac92e53e28ad0053db523a23

SHA512
fbde85f4cc053f46a7ca3c119130cd6f46e0917090b71f69cced2053f5af8958647bd46d7793be9e989e116b58f2e416a23240e19f416bce8ee10fee9c39e653

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat

Filesize
207B

MD5
aa1f689c46cf01fe86488a7f2bd6d995

SHA1
540f18a8503efa96655910ea47dde6052eb9aaca

SHA256
9f40f4112f3aea6adb1e2f8e8d4398e41a0c647c87ffd6cd0911f7806a5222dd

SHA512
be15b86261f3f44e54db310bf891dcde129663cd545128bf2039c7de2043d980feba421add374ccbfa996d20900f52ef880d0037d78fc1f5a209473dcf24b496

Download Submit
C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat

Filesize
207B

MD5
4d52e3d0e4784b4c8e7d6ec979129207

SHA1
fa761b57bb205a736e03e968f78d237daeae3cd8

SHA256
394886ed5ee36d0fcd69c287087f3fa9ff63d1cb04ca48251b7b2058fa188bdb

SHA512
5eab588002d274fcfe4e126cfabab6d43e325685465bd68228dc22df80c58e813b9c3ea2e91a9d4ed5a5781ee5cd44993e27af2ecd20936ecd00407f9ed4f92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat

Filesize
207B

MD5
9f8a3977d1493333c21eb0f1b0d2ac8c

SHA1
a2a2b6f7c49446cf63529c1c4af4edc9610c7140

SHA256
d6b4e0262cae8276ac71a2ba7fc288340a81017723c0b1bf178ea044d5e85649

SHA512
dc8f0bc02a2ae84a14f4100670e73ba5b48b2b506be950029dd7f48ad3990ce8c37f8b11ca6dbe14a87675b615fce88fbe545b6bfa2fc25b59fc83deafcee62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD201.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat

Filesize
207B

MD5
c28976bc56771d6740f9c74bb97b2129

SHA1
ecf186c2d2999de9af0d9bf9b73bd1abec84599e

SHA256
d40e79768cb3cf9fc40ef7e1b6959ed2a2f96c7ea55ab3b9f66c4a7816effaf1

SHA512
bfa0791c2b1ccd8d15694220c079666b85e0b55f5e4041e08ee8bc201215b1671a239e5dfec2741ae97cff84c3670ac9d784707af4a4613bce7d6d850dd2bd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD242.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat

Filesize
207B

MD5
5dde2d874408f73843e9b17a4c28eec6

SHA1
30c747b68ae7007242ed25be35509e04ec01683f

SHA256
a888d475a9ba6f7feb3c9e6f1bbcef87d55d33d6ca51584cfc77759f3621f608

SHA512
d38019e62d78eadd2a5e68b9033935d6406958421c7653afd4abc8688a2c0787dd72d1c1a5bdb9e4d5debacda068d05c74e87a267c308e89de5f378e051e4a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat

Filesize
207B

MD5
2c8872f566da6dd9d818cb32e4ad3cbc

SHA1
77f07ff8ebb42deaf83bb9d4fca632dbb0f65e8e

SHA256
7fc689b37e9646dea7859c1266a101cd2cbcc59d5904d7888e8f47703cc438fe

SHA512
64cbb1827c4f114e5f31c4d3ebdd7a6f4e5666a701dce37eb4617182146c463a49753c5d7d727a7ace37a1d1ad36ee6044baba213585085bd3920fb98f6f5874

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat

Filesize
207B

MD5
fbc5793294317d90e7db23afb0085a73

SHA1
7c066b0e55b052578871e91d9e99c1a505351d6f

SHA256
bb8f0b10b11ac42b392a4416654d85191babc1ee843a85826470f67204d35110

SHA512
b3ee723aeff9455f499be851e8857c1c24d157795fffbb4b4284ccdaed6e1f5ff2a74d600efb88de29d6ee1b8ffa1254a0671b387c83018a5b6eadc85804136f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat

Filesize
207B

MD5
93491e8f2fdd11e537ccd5f9e0cce232

SHA1
34274b6a9d3a615ef1be6133a885f8c413158fc5

SHA256
db9211ec7eaae60de8d076ab6e91ffcab0fe4992a4d8591b82bbb9a9dd665c20

SHA512
b250b7ba6c8d9a64cf936f8287101bda71843266e3ad00cbdfa3d7d6b36ac43008edf94840a2ff7b1dae40dfc2dcda4ba3836a2601a0c7abe9382d9e24617842

Download Submit
C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat

Filesize
207B

MD5
d482d49222d2b5f854634b82ef8c180c

SHA1
f5495e41615125ce9a4c57ebb891cc4bacc91a5b

SHA256
f7b5ea734b395dffe9520e8257a38bb48d385d3017bf6617e8eee2feccce351e

SHA512
ad1a60fa99d85811a84146ef27d8929011cb6d8952f9fdb30cd861649f4c8ccd4723faba6efc0b6251ca171c40fce617fc6a469f0cd4bb0cee01d2947df6934f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d33ec3a57d50237f8e4d948fc8849bd3

SHA1
9474fc39b495bb735256cfcba70faf7d9290c2c4

SHA256
b043f95dc5d6f1fd2a0f64ba7f8dc554c99193adf79758e415076852dc172732

SHA512
4bfefca5b3c09fceddaa59e45b162458a3786bd72e2be17fe362d2b20b31b974ccb91863cb41790318aef36f55d963756920729d858dc9ff74b4879426615a37

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/356-768-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/356-769-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/540-647-0x0000000000E10000-0x0000000000F20000-memory.dmp

Filesize
1.1MB

Download
memory/572-168-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/572-167-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/748-586-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/748-587-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/768-466-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

Filesize
1.1MB

Download
memory/1708-58-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/1708-57-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/1916-707-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/1916-708-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/1976-526-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/2168-346-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2340-406-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/2580-104-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2580-46-0x0000000000E40000-0x0000000000F50000-memory.dmp

Filesize
1.1MB

Download
memory/2856-17-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2856-16-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2856-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2856-14-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/2856-13-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download