dcrat | 59db0f470b282154d5f56ece605b739767a1e80ab6bdceab2f3b4eb5db2f2f08

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_59db0f470b282154d5f56ece605b739767a1e80ab6bdceab2f3b4eb5db2f2f08.exe
Size

1.3MB
MD5

763eebb71793cb5b91363aff91d3a8a3
SHA1

aba61d58dff6e7c0e7225884aaf3628ca9ebd98e
SHA256

59db0f470b282154d5f56ece605b739767a1e80ab6bdceab2f3b4eb5db2f2f08
SHA512

4687a1110923929df1d412760722df34edce307b6733277aa419ff649e0db4c9bfab25d795e0b15fc8abdd63fa59c558ed32dc820f62c93cf978f3ceb874229f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2008	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2008	schtasks.exe	32

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001567f-12.dat	dcrat
behavioral1/memory/2412-13-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/2036-108-0x0000000000F50000-0x0000000001060000-memory.dmp	dcrat
behavioral1/memory/1076-344-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat
behavioral1/memory/2524-463-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat
behavioral1/memory/2336-644-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/884-704-0x0000000000B90000-0x0000000000CA0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1356	powershell.exe
1032	powershell.exe
1868	powershell.exe
1148	powershell.exe
1344	powershell.exe
1020	powershell.exe
2280	powershell.exe
2152	powershell.exe
960	powershell.exe
620	powershell.exe
872	powershell.exe
1680	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2412	DllCommonsvc.exe
2036	DllCommonsvc.exe
3024	DllCommonsvc.exe
1304	DllCommonsvc.exe
1592	DllCommonsvc.exe
1076	DllCommonsvc.exe
2628	DllCommonsvc.exe
2524	DllCommonsvc.exe
620	DllCommonsvc.exe
1048	DllCommonsvc.exe
2336	DllCommonsvc.exe
884	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
776	cmd.exe
776	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
28	raw.githubusercontent.com
31	raw.githubusercontent.com
38	raw.githubusercontent.com
41	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\de-DE\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\de-DE\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\7a0fd90576e088	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\explorer.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_59db0f470b282154d5f56ece605b739767a1e80ab6bdceab2f3b4eb5db2f2f08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1780	schtasks.exe
2500	schtasks.exe
2572	schtasks.exe
2748	schtasks.exe
2752	schtasks.exe
1724	schtasks.exe
2024	schtasks.exe
2224	schtasks.exe
2696	schtasks.exe
2668	schtasks.exe
1728	schtasks.exe
372	schtasks.exe
2832	schtasks.exe
700	schtasks.exe
1136	schtasks.exe
2032	schtasks.exe
3024	schtasks.exe
2788	schtasks.exe
684	schtasks.exe
1920	schtasks.exe
884	schtasks.exe
1448	schtasks.exe
2648	schtasks.exe
2504	schtasks.exe
2516	schtasks.exe
1100	schtasks.exe
2384	schtasks.exe
2520	schtasks.exe
2624	schtasks.exe
2168	schtasks.exe
2204	schtasks.exe
2952	schtasks.exe
2176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2412	DllCommonsvc.exe
2412	DllCommonsvc.exe
2412	DllCommonsvc.exe
1020	powershell.exe
1148	powershell.exe
2280	powershell.exe
1868	powershell.exe
872	powershell.exe
960	powershell.exe
1356	powershell.exe
2152	powershell.exe
1344	powershell.exe
1680	powershell.exe
620	powershell.exe
1032	powershell.exe
2036	DllCommonsvc.exe
3024	DllCommonsvc.exe
1304	DllCommonsvc.exe
1592	DllCommonsvc.exe
1076	DllCommonsvc.exe
2628	DllCommonsvc.exe
2524	DllCommonsvc.exe
620	DllCommonsvc.exe
1048	DllCommonsvc.exe
2336	DllCommonsvc.exe
884	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	DllCommonsvc.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2036	DllCommonsvc.exe
Token: SeDebugPrivilege	3024	DllCommonsvc.exe
Token: SeDebugPrivilege	1304	DllCommonsvc.exe
Token: SeDebugPrivilege	1592	DllCommonsvc.exe
Token: SeDebugPrivilege	1076	DllCommonsvc.exe
Token: SeDebugPrivilege	2628	DllCommonsvc.exe
Token: SeDebugPrivilege	2524	DllCommonsvc.exe
Token: SeDebugPrivilege	620	DllCommonsvc.exe
Token: SeDebugPrivilege	1048	DllCommonsvc.exe
Token: SeDebugPrivilege	2336	DllCommonsvc.exe
Token: SeDebugPrivilege	884	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1652	2404	JaffaCakes118_59db0f470b282154d5f56ece605b739767a1e80ab6bdceab2f3b4eb5db2f2f08.exe	28
PID 2404 wrote to memory of 1652	2404	JaffaCakes118_59db0f470b282154d5f56ece605b739767a1e80ab6bdceab2f3b4eb5db2f2f08.exe	28
PID 2404 wrote to memory of 1652	2404	JaffaCakes118_59db0f470b282154d5f56ece605b739767a1e80ab6bdceab2f3b4eb5db2f2f08.exe	28
PID 2404 wrote to memory of 1652	2404	JaffaCakes118_59db0f470b282154d5f56ece605b739767a1e80ab6bdceab2f3b4eb5db2f2f08.exe	28
PID 1652 wrote to memory of 776	1652	WScript.exe	29
PID 1652 wrote to memory of 776	1652	WScript.exe	29
PID 1652 wrote to memory of 776	1652	WScript.exe	29
PID 1652 wrote to memory of 776	1652	WScript.exe	29
PID 776 wrote to memory of 2412	776	cmd.exe	31
PID 776 wrote to memory of 2412	776	cmd.exe	31
PID 776 wrote to memory of 2412	776	cmd.exe	31
PID 776 wrote to memory of 2412	776	cmd.exe	31
PID 2412 wrote to memory of 1020	2412	DllCommonsvc.exe	66
PID 2412 wrote to memory of 1020	2412	DllCommonsvc.exe	66
PID 2412 wrote to memory of 1020	2412	DllCommonsvc.exe	66
PID 2412 wrote to memory of 1356	2412	DllCommonsvc.exe	67
PID 2412 wrote to memory of 1356	2412	DllCommonsvc.exe	67
PID 2412 wrote to memory of 1356	2412	DllCommonsvc.exe	67
PID 2412 wrote to memory of 1680	2412	DllCommonsvc.exe	68
PID 2412 wrote to memory of 1680	2412	DllCommonsvc.exe	68
PID 2412 wrote to memory of 1680	2412	DllCommonsvc.exe	68
PID 2412 wrote to memory of 2280	2412	DllCommonsvc.exe	69
PID 2412 wrote to memory of 2280	2412	DllCommonsvc.exe	69
PID 2412 wrote to memory of 2280	2412	DllCommonsvc.exe	69
PID 2412 wrote to memory of 1032	2412	DllCommonsvc.exe	70
PID 2412 wrote to memory of 1032	2412	DllCommonsvc.exe	70
PID 2412 wrote to memory of 1032	2412	DllCommonsvc.exe	70
PID 2412 wrote to memory of 2152	2412	DllCommonsvc.exe	71
PID 2412 wrote to memory of 2152	2412	DllCommonsvc.exe	71
PID 2412 wrote to memory of 2152	2412	DllCommonsvc.exe	71
PID 2412 wrote to memory of 1868	2412	DllCommonsvc.exe	72
PID 2412 wrote to memory of 1868	2412	DllCommonsvc.exe	72
PID 2412 wrote to memory of 1868	2412	DllCommonsvc.exe	72
PID 2412 wrote to memory of 1148	2412	DllCommonsvc.exe	73
PID 2412 wrote to memory of 1148	2412	DllCommonsvc.exe	73
PID 2412 wrote to memory of 1148	2412	DllCommonsvc.exe	73
PID 2412 wrote to memory of 872	2412	DllCommonsvc.exe	75
PID 2412 wrote to memory of 872	2412	DllCommonsvc.exe	75
PID 2412 wrote to memory of 872	2412	DllCommonsvc.exe	75
PID 2412 wrote to memory of 960	2412	DllCommonsvc.exe	76
PID 2412 wrote to memory of 960	2412	DllCommonsvc.exe	76
PID 2412 wrote to memory of 960	2412	DllCommonsvc.exe	76
PID 2412 wrote to memory of 1344	2412	DllCommonsvc.exe	77
PID 2412 wrote to memory of 1344	2412	DllCommonsvc.exe	77
PID 2412 wrote to memory of 1344	2412	DllCommonsvc.exe	77
PID 2412 wrote to memory of 620	2412	DllCommonsvc.exe	78
PID 2412 wrote to memory of 620	2412	DllCommonsvc.exe	78
PID 2412 wrote to memory of 620	2412	DllCommonsvc.exe	78
PID 2412 wrote to memory of 1716	2412	DllCommonsvc.exe	84
PID 2412 wrote to memory of 1716	2412	DllCommonsvc.exe	84
PID 2412 wrote to memory of 1716	2412	DllCommonsvc.exe	84
PID 1716 wrote to memory of 2220	1716	cmd.exe	92
PID 1716 wrote to memory of 2220	1716	cmd.exe	92
PID 1716 wrote to memory of 2220	1716	cmd.exe	92
PID 1716 wrote to memory of 2036	1716	cmd.exe	93
PID 1716 wrote to memory of 2036	1716	cmd.exe	93
PID 1716 wrote to memory of 2036	1716	cmd.exe	93
PID 2036 wrote to memory of 2260	2036	DllCommonsvc.exe	96
PID 2036 wrote to memory of 2260	2036	DllCommonsvc.exe	96
PID 2036 wrote to memory of 2260	2036	DllCommonsvc.exe	96
PID 2260 wrote to memory of 2940	2260	cmd.exe	98
PID 2260 wrote to memory of 2940	2260	cmd.exe	98
PID 2260 wrote to memory of 2940	2260	cmd.exe	98
PID 2260 wrote to memory of 3024	2260	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59db0f470b282154d5f56ece605b739767a1e80ab6bdceab2f3b4eb5db2f2f08.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59db0f470b282154d5f56ece605b739767a1e80ab6bdceab2f3b4eb5db2f2f08.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\de-DE\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Network Sharing\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgAcjqsYPt.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2220
      - C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe
        
        "C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2940
        
        C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe
        
        "C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"
        9⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2544
        
        C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe
        
        "C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
        11⤵
        
        PID:2120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1556
        
        C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe
        
        "C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"
        13⤵
        
        PID:2028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3052
        
        C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe
        
        "C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"
        15⤵
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2252
        
        C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe
        
        "C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"
        17⤵
        
        PID:1848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2644
        
        C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe
        
        "C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat"
        19⤵
        
        PID:2348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1948
        
        C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe
        
        "C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat"
        21⤵
        
        PID:2704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1860
        
        C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe
        
        "C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat"
        23⤵
        
        PID:2024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2052
        
        C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe
        
        "C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat"
        25⤵
        
        PID:2532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2012
        
        C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe
        
        "C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
        27⤵
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\de-DE\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Cookies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bac8c85b983db3dddc4968235f95b24

SHA1
4e503399ea3af7d05a22caf6b25278787f981b05

SHA256
8f304f150122ec7d20e944ad04ee39dd7d4900c05e989a9497e5ca4ffc3ef1e5

SHA512
32a5018b8be7801a6a69f505d3602b4515fbcbefce35e708deafbd35a505b70358f66fd52c293dfd407efa86df90c87e001a57bb5a19672778867fce8c96ede2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0715b49974990cc3703e8710bc52620

SHA1
4d7f4138e0df6d3714e00b434564d77b54790b74

SHA256
437dfb68597782cd8c9ee0cacbcd2478373f301c8e619bb4c9836f1df9b2302a

SHA512
9f3c0fd1c45ae4239d0bc15b747dd7147e8ffc75f74e81317fe787d49d229727faf7f2b5f297984864cdd4776a5c64f7f3da485968a4f3e792309b3d5a4a25cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a4b07c86566d1d142908f4cc7971b78

SHA1
31925918c7c8032e477e190d6a40c8340cd740c6

SHA256
1b64f98bdb30ff67813215e5e67beebfd6a31089716531182c71240cbc6d659f

SHA512
724c94b97c70afed7eb8dc43393d2a66c0046766476a5e2bc7be144d81bf035ae128825e64178bed54ca3764950a6b1cf7dac537d19f6fe9dcbe0db6c2c69a67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bd38b8572ed42103fce0327c9a2fd53

SHA1
6d3c5790ebaa12d2a030b042e7ff25ea179a1b50

SHA256
56816e73971f0cbedfc4e182def65f3e9ac95ca8468fcee4f6fc99e6b988b972

SHA512
6342526a980b412e3bcaf5d5b88bbb2bffa6266199b120505a6a64203ba7e0797d3d383a33fd551066c16b3a60d5da02b7dbb8c7bf6fd09e5d72bd6af8f412f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5eb762e1bff3d63adecdc76a562f5ad

SHA1
5fd497d2e0407034041782bd0f914d28fbff8e77

SHA256
4baa26a606b3ff4480f2d38362d634e698af4ada68161f98a706ad3f285982f9

SHA512
84295425730bb935d36e878b925d69758200ba7fbb9b008a6029c1a7730a6b1ba47ad0dc90f540f42b8682037a0e4ff1b1ba8dd8dedb5b3b1bd6bdb5ef6466aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a5cca2760974bfa294916637ba98573

SHA1
7095e3362879c40c459cf6e35b56c2d2ac3c9082

SHA256
a2d2ff9ebdf7e3c8f4acbd28f408643201110cedd532a286ab1f13aa1b727525

SHA512
98e77029c4ac62c49ff6819224890451bfe01bc80c03e6bae1f4a0fa53323dde03de1f5f9a5ffa05146f514659d6386a93e82681eadb213393f8221b688dfb03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cf73f339d9f0df06b56a43c90ed3c8a

SHA1
e25bb7f40612db97d7e2b929d0370984e931a7ba

SHA256
8e27013846b4fd1a520c7f2d8741cccea74bdff233302b84a74a0d6a5ea43dee

SHA512
e894addae68a5b1cc9f5e49cc506c096ffebbbf4602ab0528dd119fa581e376308c1204db4557e2b90a62ab369aa04c79a0e7d6a6b7be7ad5e8f9abfc04c9e6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
435f2b77aaa1365f74d98c3f63fab6c3

SHA1
a2a8eeaa4931261e9c824b99c3fde34b7ff5de5f

SHA256
c11c07c9f9543ca3ec910d7c4bc4b7dc9728215abec646451d51f2ed3f4ade7e

SHA512
d7be13908bb4df7242ea03ea99eb4065c5e9415fbfe608f93d96744f72b249d8380843f4b87a425bba81648d884ae72126e6f34a34094dab917bf4c7f406c37b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ed3b965119b73e86caab04246808099

SHA1
14cdefb0ec7b89e2d4eaf526cddaee837e48eebc

SHA256
d34b00c5551cf3e3eb3f95fc4252c778e590ecb142f588ffe03c9e353df06c19

SHA512
9d626ff6c6c50d87cec8e020ca194519ccb6175bc6dfb71ae038a373746f881545ba0be4c477829d2179fe0e913882a64336e22c996a521c5cbf530d8042c7bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f182aa966e3d4603c522437aaf1bbcd

SHA1
00800197e53307db0b80776ef728b975656162f4

SHA256
e41c495d07702085e4e731b6494a1c9349d4be16fcd32fd81a41a2b21f4970db

SHA512
c9a8a4154e9d00ad7c381b5e9c4c2fa3eb16f58022aef293a94eaa1ad1beb85e31d94327cddfca2fde9a4b6a888a530274e3471dadedae298d763b3153c71558

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat

Filesize
219B

MD5
a398a270aa2555667698d7587e54ce54

SHA1
e0c59d674f801b44e715c934a7f5985310721dd8

SHA256
13a7a705ccd93156b3cf2385c9f4792adedccf5987ce7dd1aaae717e69de533f

SHA512
c2058f0c0d281de2b2cfd4f40020310a6370a1dbb92f3a29538b13337cc34ab1aa179106f348330d08ffaff8bd121469513b633271061eb4907b2ed2a32562b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat

Filesize
219B

MD5
75bdac10ae3173b11e823a8f7b954e3b

SHA1
9ed1d467c791ba1680057091b11a6996a6da34ce

SHA256
1ba2809c1f32516de02e0170843d82f861f60299381d974d8fa3820b7f006264

SHA512
bc8d754d014d112d3810474f9866f1f7d7d607cc7063e18872cbc991f359d56f59c303174131d7e6a3dc0a34bc154b025f38341b91b0b9c94882ae2358e6ac3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat

Filesize
219B

MD5
ec25449b790ad22f645bcdf277d2623b

SHA1
847dc07ccf160226984687eab5212ee316760a80

SHA256
09e2c7ef2b7ce1e10768896bd5e30e3742720b5184f52c30c2e6783b72004d1f

SHA512
6a3514e2ca4964a752b0dddc064c0510a65014dfa5b134ca5ad660458e0f9b1ca91aaad2855b1823c5b4b78e359dbedd457ecdc31476797fa7b28fd2bf2c50a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE967.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat

Filesize
219B

MD5
b7472fdbc0f3319d34aba60722ff0e69

SHA1
ec270945e564839aa812dd4916eef811c72a7d0b

SHA256
ab00d78ed552bf5e7a100bfdbb266f9ce2055e1beb87ea8cc80e1cf603db5a81

SHA512
8c90316efa6de89045831c0e8a75c6570d3828b49ec48931511c530f12ed289d9bccce39397ac4066e10ca4f0cf814855d24693017ea37724b22a9b87cc30342

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat

Filesize
219B

MD5
ceb04638a88ad51811175eb1ea56fe2b

SHA1
fda35544e81b4c64fd52fa65cc541a9cb1b61e75

SHA256
ae3f73c8d3e51cbb519e577fc28e79c1c394c3a42b4e6ad371599cf737f9f93d

SHA512
652bd5db97fdc5f22d0b641e049ea72361f4f9eba437956201474ad9856135568600c67c3a6f3dc5679b2a2ddf0ea516a81a500806d7c7ef67be398d8f32987c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat

Filesize
219B

MD5
0b0cfa351fe308fa5589340e505d8a82

SHA1
1e27df86d839e9b623fb76875c5e745f78b6a3d2

SHA256
4a389625dee8d4b6063d4e0fe45732c02e2eaf20759cca0f7aedb341477eb85e

SHA512
543c76d5de58c31f2738a5130610b0dc8175b93bccdee840eb1738339f2d55781814d6a7fd77bd502dff1bc8e64639c3617e7fc8f76a336c7278f59f4d124f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgAcjqsYPt.bat

Filesize
219B

MD5
9618b5347881ed8a20307a59f6bc0bf1

SHA1
7588fd45092b893eade45aaa6fd5bbaaa3031cc5

SHA256
d8ca86c907457d6cc305cef1d86f028d386e425106b506009365eb0ee5c6e56a

SHA512
e9c3639fd948553082dcfc4af09e363042eac1f1bf7341114dbf08f316ae92d0c15ae08b21ddb0265511639d79b927f838effacb839b44c35a57fbaaa9a7d6ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE989.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat

Filesize
219B

MD5
8b7cc58f432a5682a3d9bd1d05cd7775

SHA1
624b31d25ccb8c357c20ac129af9a233c4421a56

SHA256
c5496c5a4fb00bdae86148c4ce3df294d785b198d18489e4927483ea12e38039

SHA512
610c9a5abd5368124f1adbe91e2e1e874a1eccbe0830ce08d253d316444151b41705303b958c7d7ad81e7a130a899f5fa189535f06106defdddba9754cc82cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

Filesize
219B

MD5
a816d353a7ceec2bf17e235f5a9ca7f9

SHA1
3bed94e278209cc6e7923063e59bed90bdcb5e99

SHA256
3b5ec668dd233f38a09abea354a1a4ff60ea6ebb601d8355aaeea3ef47e09106

SHA512
bfbd1b0d89bf592b8fbeee95237b32bb6b7d8a0f0f8a94d54f7e9f86141f0a0d3bf4e950ba07653ebf0a3e30f9df6b9e1696369f51d8bc4f23d73048379388c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat

Filesize
219B

MD5
7b4181f152e6580fd7cff7b3e9aeffd5

SHA1
f54f71611e505f110770967592d254a05cc2633b

SHA256
f7d16e1f29a322df9b9b4116838b917d0596677f61c74662ce1d6abdb7f34454

SHA512
e96df2f64cf08a3cdf14158adcee7a7747124f3b09f06ef2c0e2ee5f974b0470f80fcab9372412ba0f8969d1bae38b75d846a0c787e945541fb12168cd1033d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat

Filesize
219B

MD5
0841aa2f829add1431c3018d2838ff87

SHA1
486460a1025e1ca8f4b4e5516f74874d34155f79

SHA256
5e944bfa2d7c132d90151bac335852127c1969e7cf0cefc6a2826bf7b33022a7

SHA512
5a6f2d8f26f089387b8f198742ff8b5a23e03d5f7ffc8c3d4025cd7d6f12104f9a2ec8f505651488f82df5c9fd958742c4df27ff4a142c617e1a35eba86fb8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

Filesize
219B

MD5
940b629a9cebf0215c74429016954324

SHA1
6b860f2ab216f9282628a606dae070ffb0643e60

SHA256
cd8bfd442166735a4fda48d068e7c2561cd757a83f0abf24993328f4e917d22b

SHA512
8c71e86b6ec04c871a478cd37800565c0c2392f3fb1c5bda231ad13c8c28d6ff648940dfcdf1ac7bc7a26307b4bbfee01d9aed385c8de25e67dc1fb3b8e86e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bc0a434137c6e6e6d6d67eb24c4e42b6

SHA1
6eb4a202e4b879c937ac1a5144e2b67f75635790

SHA256
912698ddbba3c75a261f42a8b8ffa5e03902defc6d54f9b1c88eac5deef94c1b

SHA512
7efb436ba6d33c31bc777cabc05e224e0510ad25738dd71e2ce75da078aad675ae5220a5591e01c8ae6fb23cdfed319c8cc796a6e27306300b5d6d1229fa2340

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/620-524-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/884-704-0x0000000000B90000-0x0000000000CA0000-memory.dmp

Filesize
1.1MB

Download
memory/1020-50-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/1020-49-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/1048-584-0x00000000006E0000-0x00000000006F2000-memory.dmp

Filesize
72KB

Download
memory/1076-344-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/2036-108-0x0000000000F50000-0x0000000001060000-memory.dmp

Filesize
1.1MB

Download
memory/2336-644-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/2412-14-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2412-13-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/2412-15-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/2412-16-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2412-17-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2524-464-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2524-463-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download