dcrat | 062060642ebb13f7448987c185864ace34700ca7ab1984b933c065519366554a

Analysis

max time kernel
139s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_062060642ebb13f7448987c185864ace34700ca7ab1984b933c065519366554a.exe
Size

1.3MB
MD5

ce393bed59539e1450033e245544464e
SHA1

de22c9834f2dcef103fe2bdf2037413a8a269fd7
SHA256

062060642ebb13f7448987c185864ace34700ca7ab1984b933c065519366554a
SHA512

733675f9568f22f850523af660ea4114d25bfd92654e70ef5a0b0b38cc7f49ec3d34b3e82473d1180e124486515e26c2700de20f3e8e1293cb27d17e72ac6f95
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2788	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c66-9.dat	dcrat
behavioral1/memory/2824-13-0x0000000000A60000-0x0000000000B70000-memory.dmp	dcrat
behavioral1/memory/1508-82-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/1124-184-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/2908-422-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/284-543-0x0000000000F20000-0x0000000001030000-memory.dmp	dcrat
behavioral1/memory/1748-604-0x0000000001090000-0x00000000011A0000-memory.dmp	dcrat
behavioral1/files/0x00050000000194a9-663.dat	dcrat
behavioral1/memory/1048-664-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1468	powershell.exe
1632	powershell.exe
1492	powershell.exe
2380	powershell.exe
2588	powershell.exe
648	powershell.exe
2168	powershell.exe
1928	powershell.exe
1700	powershell.exe
1592	powershell.exe
2028	powershell.exe
2556	powershell.exe
776	powershell.exe
2408	powershell.exe
980	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2824	DllCommonsvc.exe
1508	smss.exe
1124	smss.exe
1180	smss.exe
2588	smss.exe
1852	smss.exe
2908	smss.exe
2312	smss.exe
284	smss.exe
1748	smss.exe
1048	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
1256	cmd.exe
1256	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
13	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\es-ES\Licenses\OEM\HomeBasicE\smss.exe	DllCommonsvc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\ja-JP\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\ja-JP\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\wininit.exe	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\b75386f1303e64	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\L2Schemas\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_062060642ebb13f7448987c185864ace34700ca7ab1984b933c065519366554a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1728	schtasks.exe
2140	schtasks.exe
2268	schtasks.exe
2908	schtasks.exe
2644	schtasks.exe
2544	schtasks.exe
832	schtasks.exe
936	schtasks.exe
900	schtasks.exe
2952	schtasks.exe
1416	schtasks.exe
2492	schtasks.exe
1896	schtasks.exe
1124	schtasks.exe
1048	schtasks.exe
552	schtasks.exe
3044	schtasks.exe
1288	schtasks.exe
1404	schtasks.exe
1600	schtasks.exe
1184	schtasks.exe
1704	schtasks.exe
2716	schtasks.exe
1424	schtasks.exe
2884	schtasks.exe
3032	schtasks.exe
2084	schtasks.exe
1524	schtasks.exe
1528	schtasks.exe
2192	schtasks.exe
2860	schtasks.exe
2512	schtasks.exe
1100	schtasks.exe
1680	schtasks.exe
2068	schtasks.exe
1136	schtasks.exe
1604	schtasks.exe
1104	schtasks.exe
3060	schtasks.exe
2932	schtasks.exe
2444	schtasks.exe
872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2824	DllCommonsvc.exe
2380	powershell.exe
1468	powershell.exe
2408	powershell.exe
1632	powershell.exe
1492	powershell.exe
2028	powershell.exe
1928	powershell.exe
1592	powershell.exe
2556	powershell.exe
1508	smss.exe
776	powershell.exe
980	powershell.exe
648	powershell.exe
2588	powershell.exe
2168	powershell.exe
1700	powershell.exe
1124	smss.exe
1180	smss.exe
2588	smss.exe
1852	smss.exe
2908	smss.exe
2312	smss.exe
284	smss.exe
1748	smss.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	DllCommonsvc.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1508	smss.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1124	smss.exe
Token: SeDebugPrivilege	1180	smss.exe
Token: SeDebugPrivilege	2588	smss.exe
Token: SeDebugPrivilege	1852	smss.exe
Token: SeDebugPrivilege	2908	smss.exe
Token: SeDebugPrivilege	2312	smss.exe
Token: SeDebugPrivilege	284	smss.exe
Token: SeDebugPrivilege	1748	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 2608	108	JaffaCakes118_062060642ebb13f7448987c185864ace34700ca7ab1984b933c065519366554a.exe	30
PID 108 wrote to memory of 2608	108	JaffaCakes118_062060642ebb13f7448987c185864ace34700ca7ab1984b933c065519366554a.exe	30
PID 108 wrote to memory of 2608	108	JaffaCakes118_062060642ebb13f7448987c185864ace34700ca7ab1984b933c065519366554a.exe	30
PID 108 wrote to memory of 2608	108	JaffaCakes118_062060642ebb13f7448987c185864ace34700ca7ab1984b933c065519366554a.exe	30
PID 2608 wrote to memory of 1256	2608	WScript.exe	32
PID 2608 wrote to memory of 1256	2608	WScript.exe	32
PID 2608 wrote to memory of 1256	2608	WScript.exe	32
PID 2608 wrote to memory of 1256	2608	WScript.exe	32
PID 1256 wrote to memory of 2824	1256	cmd.exe	34
PID 1256 wrote to memory of 2824	1256	cmd.exe	34
PID 1256 wrote to memory of 2824	1256	cmd.exe	34
PID 1256 wrote to memory of 2824	1256	cmd.exe	34
PID 2824 wrote to memory of 2380	2824	DllCommonsvc.exe	78
PID 2824 wrote to memory of 2380	2824	DllCommonsvc.exe	78
PID 2824 wrote to memory of 2380	2824	DllCommonsvc.exe	78
PID 2824 wrote to memory of 2556	2824	DllCommonsvc.exe	79
PID 2824 wrote to memory of 2556	2824	DllCommonsvc.exe	79
PID 2824 wrote to memory of 2556	2824	DllCommonsvc.exe	79
PID 2824 wrote to memory of 776	2824	DllCommonsvc.exe	80
PID 2824 wrote to memory of 776	2824	DllCommonsvc.exe	80
PID 2824 wrote to memory of 776	2824	DllCommonsvc.exe	80
PID 2824 wrote to memory of 2588	2824	DllCommonsvc.exe	81
PID 2824 wrote to memory of 2588	2824	DllCommonsvc.exe	81
PID 2824 wrote to memory of 2588	2824	DllCommonsvc.exe	81
PID 2824 wrote to memory of 2408	2824	DllCommonsvc.exe	82
PID 2824 wrote to memory of 2408	2824	DllCommonsvc.exe	82
PID 2824 wrote to memory of 2408	2824	DllCommonsvc.exe	82
PID 2824 wrote to memory of 980	2824	DllCommonsvc.exe	83
PID 2824 wrote to memory of 980	2824	DllCommonsvc.exe	83
PID 2824 wrote to memory of 980	2824	DllCommonsvc.exe	83
PID 2824 wrote to memory of 1928	2824	DllCommonsvc.exe	84
PID 2824 wrote to memory of 1928	2824	DllCommonsvc.exe	84
PID 2824 wrote to memory of 1928	2824	DllCommonsvc.exe	84
PID 2824 wrote to memory of 2028	2824	DllCommonsvc.exe	85
PID 2824 wrote to memory of 2028	2824	DllCommonsvc.exe	85
PID 2824 wrote to memory of 2028	2824	DllCommonsvc.exe	85
PID 2824 wrote to memory of 2168	2824	DllCommonsvc.exe	86
PID 2824 wrote to memory of 2168	2824	DllCommonsvc.exe	86
PID 2824 wrote to memory of 2168	2824	DllCommonsvc.exe	86
PID 2824 wrote to memory of 648	2824	DllCommonsvc.exe	87
PID 2824 wrote to memory of 648	2824	DllCommonsvc.exe	87
PID 2824 wrote to memory of 648	2824	DllCommonsvc.exe	87
PID 2824 wrote to memory of 1492	2824	DllCommonsvc.exe	90
PID 2824 wrote to memory of 1492	2824	DllCommonsvc.exe	90
PID 2824 wrote to memory of 1492	2824	DllCommonsvc.exe	90
PID 2824 wrote to memory of 1468	2824	DllCommonsvc.exe	92
PID 2824 wrote to memory of 1468	2824	DllCommonsvc.exe	92
PID 2824 wrote to memory of 1468	2824	DllCommonsvc.exe	92
PID 2824 wrote to memory of 1632	2824	DllCommonsvc.exe	93
PID 2824 wrote to memory of 1632	2824	DllCommonsvc.exe	93
PID 2824 wrote to memory of 1632	2824	DllCommonsvc.exe	93
PID 2824 wrote to memory of 1592	2824	DllCommonsvc.exe	95
PID 2824 wrote to memory of 1592	2824	DllCommonsvc.exe	95
PID 2824 wrote to memory of 1592	2824	DllCommonsvc.exe	95
PID 2824 wrote to memory of 1700	2824	DllCommonsvc.exe	96
PID 2824 wrote to memory of 1700	2824	DllCommonsvc.exe	96
PID 2824 wrote to memory of 1700	2824	DllCommonsvc.exe	96
PID 2824 wrote to memory of 1508	2824	DllCommonsvc.exe	108
PID 2824 wrote to memory of 1508	2824	DllCommonsvc.exe	108
PID 2824 wrote to memory of 1508	2824	DllCommonsvc.exe	108
PID 1508 wrote to memory of 2916	1508	smss.exe	109
PID 1508 wrote to memory of 2916	1508	smss.exe	109
PID 1508 wrote to memory of 2916	1508	smss.exe	109
PID 2916 wrote to memory of 2776	2916	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_062060642ebb13f7448987c185864ace34700ca7ab1984b933c065519366554a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_062060642ebb13f7448987c185864ace34700ca7ab1984b933c065519366554a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:108
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\ja-JP\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2776
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b9aNmsEibB.bat"
        8⤵
        
        PID:1896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2268
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat"
        10⤵
        
        PID:552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2808
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"
        12⤵
        
        PID:1732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1508
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat"
        14⤵
        
        PID:1416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2456
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"
        16⤵
        
        PID:1272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1328
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"
        18⤵
        
        PID:380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2588
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"
        20⤵
        
        PID:872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2856
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat"
        22⤵
        
        PID:1480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2816
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        23⤵
        Executes dropped EXE
        
        PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\ja-JP\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c9f7837d7936a0dfada3866bf260bd1

SHA1
1caa8bf811f619f594d76f8562f15b35ccc2e3d4

SHA256
9cd0d694ed7e8b12b6780e7a27b2f0aa88928cc38a9b8ff5709d6f3e4fb387d8

SHA512
e105c1aebd6b480ebc98622792054689a598966a317c126cfb5bdb84a4de04a0defd1337152b234f5ca6e503b0b1ab5f3ff194ce0c10e32ff538bfeb107bcda4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c780b7145d1a0fb72badf07c4501dd4

SHA1
e5b8f5c71f4e4b657eb5629904c3e0fa008e926a

SHA256
9b727770368b82f0adb900c18f49ce8e16785a14bf3ddfcb90dc163ed5341dc6

SHA512
9ed3b46e2f871ca8aeffb451282b490b88b90a67c87303d34c4a0d3fce317b91df44b34697e2f5dfcee7e5326591ff337daa32aa23e33851a0d39566bba3e2d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fdfbf198032aabaacf34d044374d716

SHA1
8dac0b5ad48084e636f7821769eee8895c505d86

SHA256
6ea7fbf219366b8bbfca98eee1d85d4f0f897d0c19cb975346b7b2d1d934aebd

SHA512
4b4d9391d492335bb75fe41f98d8212ad6e7bd10b1d420439e129bd850c92bcd939aeb20505d63e9e9d4a932bd1d25f21b5fc31e6b6e5b346e32260a7579d925

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60a7c2be9f9f972b8ebeaa6b1b7a8f73

SHA1
a1284adffa64c7358bc0d4b5a52fe5feee4bd372

SHA256
38cc5a8890389dd66718eca4ad32e348844ae6ed5574dece4ca61f4ef52d1654

SHA512
d5c99e57b5b9f376e533a4b1321e1f231ab423920fa84e27fb86c10ed7a708111b1a4befed88f2522ffa21bb607dfa504070aa15637046cbad623236c88b0f94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd8ce452f51d0f21090a069b0dc89cab

SHA1
e139d912cd697fa880b9614e24a8ae60331da85b

SHA256
bc9632e4790058fbe9fd997f223957188f7ed34a5111900dd5eeeb47eb79f15e

SHA512
b05650c3b6cc5a8c19864d38ccea83e316208e16b80c14214ae76d77fd7d5c4be9a6c9e2d7a5cf9d63b53da4f597faa12438229be7613026956a715d711b1879

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e50541692e355aee39ccc5ec83fff220

SHA1
224ed0dfd7e4231e0a9fa359066b0c1dc2be80ff

SHA256
64564c3dbf7d813675280d93d80a98201a7e69c63551b63afd77999a0a39e743

SHA512
143581fbaf5f4a91c263139065c884ba4abe18ca41ddcbcf95d14db0fa49827e6664087a1f5f38ea03180df9de8dc10f8ec9e5dd5d9ce7ae658996a9ebe02975

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ff0f29cbd7e500ec7dcbf4b387dde73

SHA1
850ba7a638e725b0e6bfaf6283b5d58ca2ba2c61

SHA256
b71a21b635e73ca997ad1b927a1526cef20b3c2706060b23a6031ddbe3a5ef13

SHA512
d035d0a6bb92b11fec0ae155baf401cec7acaa6868c299be925587ee07e93248a86f2dbc297771a05b30b97a4da1951f31efe9aebc07a205938fa3244cfc442d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f0a60c760789112eb2e26b2a9d948c3

SHA1
92ca720f62b93114bbab2d3776a5444975f30f52

SHA256
91e70489382e503be8ed7b305481593ea5ba1293780e38272bb3ea2b1d6233e4

SHA512
12d320e816509debc808984aa49a6808272b537d1fa4f88bb188a1559ae0a09f2bb439ce5d9e07fa486f5472f0fd6b1b6ea54f9fcb7db58b9e701bc780e085b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat

Filesize
191B

MD5
1b847f118fd621d16f0ce4f6feee83db

SHA1
8084c1f90125a7275db96526b73cd7d84398765b

SHA256
2ecec4a3f3f78774c9781018c49ed91d0bdbcb362440c6deee070506179cf7d1

SHA512
4e5b5e20d9efbb93b5112c427745ff7be6b5f42fe7b67cb40040c39f70669406169a9bcb09bb54adc8d6100a4e7a5f7b8abb68e81959a16b3a3f93d843f880ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab550.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat

Filesize
191B

MD5
5917bf54f46f4bb3d0e96bffb96fce9e

SHA1
f8dbed320ccffc7eecc71c18c91e262031b4617e

SHA256
1ac3894a9a8a8461ab46031667026bb776a9b87f81313f90777edf00663fcc4e

SHA512
9dc99b20f28007b8609398c7654cdc53b099af54ef6f3da5f603a7ff8cccbed0cf67dddf08c3b508524a81687dfc04c99a8a7292f2a84db9eeaa27ab516378a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat

Filesize
191B

MD5
4f58da33e7ff3f678fdde40e61404da6

SHA1
df997c120afb65b781719992e5de57faf2c12a17

SHA256
aeb137c311e6d5a25ee5449006627543e6f6f12c1d77ec127c83afa4c0749c46

SHA512
2a04857e9bdbf2fb2453ad3a704b7b289829c770421ea615f0e0c8cb0316fd0b16ddd88ad46d24d8bc1d812a157d03460c1c890ab7b235385887d3675317ec9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar572.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat

Filesize
191B

MD5
5ecdd0a4a980bf18a3b3161511653d56

SHA1
ae7c3318ff0d412e1f3d30e7e7212b87a0abff09

SHA256
c6f22defa7709a4ff7238f454d6a3d0f34ab3f37abf9f4775d33cb9ac9a08ba0

SHA512
f9b51cfd88ca74026632cdccddeab9db834dd5d4854decafc71ab7462019e7249fab78684514ee1a12a432a73009635457bb211dde2abd97fb12f9ef54e19fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

Filesize
191B

MD5
9320a09a9ae8800815010f9e3bc54178

SHA1
f3445168729a2b64169ceb86b4e4d91fd7d24428

SHA256
525488e2320214c830452bde4f4351be08ae5bc53546495a5165d4b4fb061d7e

SHA512
d4c3dbf6c7b45cbddfbdea4811888937b7ac2db081cdc96fe3974d8c3f9388a6a279d38a93dcffd17e3855345bdf50ce2b61e4d13e6e0b39ca7d2249a55579dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9aNmsEibB.bat

Filesize
191B

MD5
60dd1930a01ece382f3fd61d9703b849

SHA1
a1eb0f8192405812e5815b308b8e7078d49bee83

SHA256
d78850225ed5432a2a288675b0365814b931df41dc8ebae816bb4d4fb304b9ee

SHA512
d23f326f1f64b28f0e87815800b18a1d3ab7b4e7a897f9bf2191cd0b11e3e25b51ebea11d2d23013e411a6ba2483a94aef5fe21b2b2d0d4d707fc66c3fe8eaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat

Filesize
191B

MD5
a0a43288095a5ce6230fda6965328d95

SHA1
31cdeab3d33c89a8ec4195064c4ed983c5fedcc9

SHA256
a052efe1626000f8f0a1821fa6e66cd3aa35cd243ebf262230ca3a0c391fbcf7

SHA512
564f18718a40d013889bd82e78095c6be094324f3f270b03ad98ca4c2199441072a7c7a1e4131acbf1014797ec786f30169f80f18798d20edbd35b47c8ac916d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat

Filesize
191B

MD5
8dae6b1e0cbabe86bc165a2ad9ca2c35

SHA1
e8a9b647cf405c614bf7151229043c1964caf649

SHA256
b272dd8b28ef7d51f01858e633e77ddfb1948360c7b29426de564fd2efe90863

SHA512
a4a1000ef0efcc846a3899377fb74b5b1d3c8f99a3348a7a11bd23bd6d2bc01801ce5b44d87cdae49118241614054e0df65b2954c117371ac1b7415e312ad49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat

Filesize
191B

MD5
9d45cc6bd9e929ce587b40461416589e

SHA1
f8f781888b10489bc99390afdda24c3cc6b1606a

SHA256
f82254f097751c7b20700df3c76bfdc701479658726e9182c2108bd38ea74278

SHA512
60bdfb87226263d47f8ed94a3390bccfe70797fd7423ecc1b5b3a5502f0762725ce1b3ec3414ce1362df577a84e5452b615ced6b253e5addd9e03e8d7df5e958

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BEYLWJBK0WMCFVT0N0AL.temp

Filesize
7KB

MD5
c53d630641e87642a83100a1ee1975a8

SHA1
cae995dc0afb715e2ff379c6f67adda34093686c

SHA256
92fb6a2380418b471055aea0b84a6fa76ded8ae4ccd006d7789678011f0370c4

SHA512
aa517685e80e157a77e63e0bd431fbfc215728d9d6e19accea2d36fb65198374b768fe440ebcc48c9da0db4b0879449d459b40d9dde7d9f59da5686c55799761

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\smss.exe

Filesize
923KB

MD5
287ef7aea9796489941fb7cec7c7c98a

SHA1
ab3727d785e553c1ae15614751feddc0f3281add

SHA256
523099ad1cfe71e63776ea7865fe8b7178af0f71bff769422885f8afee85868c

SHA512
232a0d2aefabd803337cd1f4ba8dbf8c5a44cda4f033d021194427acc82bbb6d4194a81c3212b9dfaf3028b2efaac4fe204d42ef2e942b5321155d868ddaf47f

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/284-543-0x0000000000F20000-0x0000000001030000-memory.dmp

Filesize
1.1MB

Download
memory/284-544-0x0000000000A60000-0x0000000000A72000-memory.dmp

Filesize
72KB

Download
memory/1048-664-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/1124-184-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/1124-185-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1508-93-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1508-82-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/1748-604-0x0000000001090000-0x00000000011A0000-memory.dmp

Filesize
1.1MB

Download
memory/2312-483-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2380-66-0x00000000028D0000-0x00000000028D8000-memory.dmp

Filesize
32KB

Download
memory/2380-60-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2824-17-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2824-13-0x0000000000A60000-0x0000000000B70000-memory.dmp

Filesize
1.1MB

Download
memory/2824-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2824-15-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2824-16-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2908-423-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2908-422-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download