dcrat | acd7f8db5cb7d59044b04902dd691239d7a1d632527d269961ff1530d23f84d4

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_acd7f8db5cb7d59044b04902dd691239d7a1d632527d269961ff1530d23f84d4.exe
Size

1.3MB
MD5

d8352e04b33856f9be313b0839e96697
SHA1

ad4c2757be83f61bfe463f86f77f99b45d35e02f
SHA256

acd7f8db5cb7d59044b04902dd691239d7a1d632527d269961ff1530d23f84d4
SHA512

89bfe90a862e85bd1bbb2c98395159c02944120da930131c342ec0b88f97d7650b7f1026f3706794b94951f468fb0553603ff59443e71d94f144c6fa3f75f8ce
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2604	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015e25-9.dat	dcrat
behavioral1/memory/2992-13-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/1616-122-0x0000000000F10000-0x0000000001020000-memory.dmp	dcrat
behavioral1/memory/2640-181-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/2392-242-0x0000000001240000-0x0000000001350000-memory.dmp	dcrat
behavioral1/memory/1124-302-0x0000000000270000-0x0000000000380000-memory.dmp	dcrat
behavioral1/memory/2056-362-0x0000000000F90000-0x00000000010A0000-memory.dmp	dcrat
behavioral1/memory/2144-422-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/3016-541-0x0000000000FB0000-0x00000000010C0000-memory.dmp	dcrat
behavioral1/memory/2784-601-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1036	powershell.exe
2476	powershell.exe
3044	powershell.exe
2036	powershell.exe
2512	powershell.exe
1164	powershell.exe
948	powershell.exe
2176	powershell.exe
1824	powershell.exe
2244	powershell.exe
1052	powershell.exe
772	powershell.exe
2148	powershell.exe
2100	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2992	DllCommonsvc.exe
1616	spoolsv.exe
2640	spoolsv.exe
2392	spoolsv.exe
1124	spoolsv.exe
2056	spoolsv.exe
2144	spoolsv.exe
2236	spoolsv.exe
3016	spoolsv.exe
2784	spoolsv.exe
1892	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	cmd.exe
2732	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\ja-JP\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\ja-JP\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\56085415360792	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\Tasks\smss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_acd7f8db5cb7d59044b04902dd691239d7a1d632527d269961ff1530d23f84d4.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1752	schtasks.exe
2000	schtasks.exe
2704	schtasks.exe
2296	schtasks.exe
1732	schtasks.exe
1132	schtasks.exe
2676	schtasks.exe
2060	schtasks.exe
2796	schtasks.exe
2448	schtasks.exe
1324	schtasks.exe
1780	schtasks.exe
2428	schtasks.exe
3012	schtasks.exe
1760	schtasks.exe
376	schtasks.exe
2352	schtasks.exe
2224	schtasks.exe
288	schtasks.exe
2272	schtasks.exe
2680	schtasks.exe
2520	schtasks.exe
2004	schtasks.exe
3048	schtasks.exe
620	schtasks.exe
1332	schtasks.exe
2336	schtasks.exe
1612	schtasks.exe
2456	schtasks.exe
1856	schtasks.exe
576	schtasks.exe
2952	schtasks.exe
2420	schtasks.exe
2424	schtasks.exe
1268	schtasks.exe
2488	schtasks.exe
320	schtasks.exe
1744	schtasks.exe
532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2992	DllCommonsvc.exe
1164	powershell.exe
772	powershell.exe
1036	powershell.exe
2244	powershell.exe
1824	powershell.exe
2100	powershell.exe
2476	powershell.exe
2036	powershell.exe
1052	powershell.exe
2148	powershell.exe
2176	powershell.exe
3044	powershell.exe
948	powershell.exe
2512	powershell.exe
1616	spoolsv.exe
2640	spoolsv.exe
2392	spoolsv.exe
1124	spoolsv.exe
2056	spoolsv.exe
2144	spoolsv.exe
2236	spoolsv.exe
3016	spoolsv.exe
2784	spoolsv.exe
1892	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	DllCommonsvc.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	1616	spoolsv.exe
Token: SeDebugPrivilege	2640	spoolsv.exe
Token: SeDebugPrivilege	2392	spoolsv.exe
Token: SeDebugPrivilege	1124	spoolsv.exe
Token: SeDebugPrivilege	2056	spoolsv.exe
Token: SeDebugPrivilege	2144	spoolsv.exe
Token: SeDebugPrivilege	2236	spoolsv.exe
Token: SeDebugPrivilege	3016	spoolsv.exe
Token: SeDebugPrivilege	2784	spoolsv.exe
Token: SeDebugPrivilege	1892	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2316	2800	JaffaCakes118_acd7f8db5cb7d59044b04902dd691239d7a1d632527d269961ff1530d23f84d4.exe	30
PID 2800 wrote to memory of 2316	2800	JaffaCakes118_acd7f8db5cb7d59044b04902dd691239d7a1d632527d269961ff1530d23f84d4.exe	30
PID 2800 wrote to memory of 2316	2800	JaffaCakes118_acd7f8db5cb7d59044b04902dd691239d7a1d632527d269961ff1530d23f84d4.exe	30
PID 2800 wrote to memory of 2316	2800	JaffaCakes118_acd7f8db5cb7d59044b04902dd691239d7a1d632527d269961ff1530d23f84d4.exe	30
PID 2316 wrote to memory of 2732	2316	WScript.exe	31
PID 2316 wrote to memory of 2732	2316	WScript.exe	31
PID 2316 wrote to memory of 2732	2316	WScript.exe	31
PID 2316 wrote to memory of 2732	2316	WScript.exe	31
PID 2732 wrote to memory of 2992	2732	cmd.exe	33
PID 2732 wrote to memory of 2992	2732	cmd.exe	33
PID 2732 wrote to memory of 2992	2732	cmd.exe	33
PID 2732 wrote to memory of 2992	2732	cmd.exe	33
PID 2992 wrote to memory of 1164	2992	DllCommonsvc.exe	74
PID 2992 wrote to memory of 1164	2992	DllCommonsvc.exe	74
PID 2992 wrote to memory of 1164	2992	DllCommonsvc.exe	74
PID 2992 wrote to memory of 948	2992	DllCommonsvc.exe	75
PID 2992 wrote to memory of 948	2992	DllCommonsvc.exe	75
PID 2992 wrote to memory of 948	2992	DllCommonsvc.exe	75
PID 2992 wrote to memory of 3044	2992	DllCommonsvc.exe	77
PID 2992 wrote to memory of 3044	2992	DllCommonsvc.exe	77
PID 2992 wrote to memory of 3044	2992	DllCommonsvc.exe	77
PID 2992 wrote to memory of 2476	2992	DllCommonsvc.exe	78
PID 2992 wrote to memory of 2476	2992	DllCommonsvc.exe	78
PID 2992 wrote to memory of 2476	2992	DllCommonsvc.exe	78
PID 2992 wrote to memory of 2244	2992	DllCommonsvc.exe	79
PID 2992 wrote to memory of 2244	2992	DllCommonsvc.exe	79
PID 2992 wrote to memory of 2244	2992	DllCommonsvc.exe	79
PID 2992 wrote to memory of 2036	2992	DllCommonsvc.exe	80
PID 2992 wrote to memory of 2036	2992	DllCommonsvc.exe	80
PID 2992 wrote to memory of 2036	2992	DllCommonsvc.exe	80
PID 2992 wrote to memory of 2100	2992	DllCommonsvc.exe	81
PID 2992 wrote to memory of 2100	2992	DllCommonsvc.exe	81
PID 2992 wrote to memory of 2100	2992	DllCommonsvc.exe	81
PID 2992 wrote to memory of 2148	2992	DllCommonsvc.exe	83
PID 2992 wrote to memory of 2148	2992	DllCommonsvc.exe	83
PID 2992 wrote to memory of 2148	2992	DllCommonsvc.exe	83
PID 2992 wrote to memory of 772	2992	DllCommonsvc.exe	85
PID 2992 wrote to memory of 772	2992	DllCommonsvc.exe	85
PID 2992 wrote to memory of 772	2992	DllCommonsvc.exe	85
PID 2992 wrote to memory of 1052	2992	DllCommonsvc.exe	86
PID 2992 wrote to memory of 1052	2992	DllCommonsvc.exe	86
PID 2992 wrote to memory of 1052	2992	DllCommonsvc.exe	86
PID 2992 wrote to memory of 2512	2992	DllCommonsvc.exe	88
PID 2992 wrote to memory of 2512	2992	DllCommonsvc.exe	88
PID 2992 wrote to memory of 2512	2992	DllCommonsvc.exe	88
PID 2992 wrote to memory of 2176	2992	DllCommonsvc.exe	89
PID 2992 wrote to memory of 2176	2992	DllCommonsvc.exe	89
PID 2992 wrote to memory of 2176	2992	DllCommonsvc.exe	89
PID 2992 wrote to memory of 1036	2992	DllCommonsvc.exe	90
PID 2992 wrote to memory of 1036	2992	DllCommonsvc.exe	90
PID 2992 wrote to memory of 1036	2992	DllCommonsvc.exe	90
PID 2992 wrote to memory of 1824	2992	DllCommonsvc.exe	91
PID 2992 wrote to memory of 1824	2992	DllCommonsvc.exe	91
PID 2992 wrote to memory of 1824	2992	DllCommonsvc.exe	91
PID 2992 wrote to memory of 2892	2992	DllCommonsvc.exe	102
PID 2992 wrote to memory of 2892	2992	DllCommonsvc.exe	102
PID 2992 wrote to memory of 2892	2992	DllCommonsvc.exe	102
PID 2892 wrote to memory of 1124	2892	cmd.exe	104
PID 2892 wrote to memory of 1124	2892	cmd.exe	104
PID 2892 wrote to memory of 1124	2892	cmd.exe	104
PID 2892 wrote to memory of 1616	2892	cmd.exe	105
PID 2892 wrote to memory of 1616	2892	cmd.exe	105
PID 2892 wrote to memory of 1616	2892	cmd.exe	105
PID 1616 wrote to memory of 2272	1616	spoolsv.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acd7f8db5cb7d59044b04902dd691239d7a1d632527d269961ff1530d23f84d4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acd7f8db5cb7d59044b04902dd691239d7a1d632527d269961ff1530d23f84d4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\es-ES\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\ja-JP\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rahNklDhXh.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1124
      - C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat"
        7⤵
        
        PID:2272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2444
        
        C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"
        9⤵
        
        PID:1820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1600
        
        C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIQ15LoDrx.bat"
        11⤵
        
        PID:2140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1772
        
        C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"
        13⤵
        
        PID:1280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2444
        
        C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat"
        15⤵
        
        PID:2416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1052
        
        C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat"
        17⤵
        
        PID:1112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2244
        
        C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CIMKRyAEqW.bat"
        19⤵
        
        PID:1520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1864
        
        C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
        21⤵
        
        PID:2936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1948
        
        C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"
        23⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:544
        
        C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Public\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\fonts\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Microsoft Shared\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Tasks\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b54a9bf1c9c2aa072a95437cf4abdd5

SHA1
efb1c38d1851e83a6f5308564429da5d9c041d77

SHA256
ca10bbc6be9cdd2232f0f0911a35ba312e7c8a9dea6c7377cf44a931a4c7cf63

SHA512
be36bfa2082b7b76806273b442f5ee6e12f4725821ca2f34a944933008eff0102a16b9dfe61b936a91117b0fa847ebc75cbfbe0012e44c3b93ac35d06b507b99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
953df2a068f0687423186fad3c17a490

SHA1
ba5417e8dc02f9c1b64df564d94cac5c045bbc63

SHA256
d9adcf21af2a87c11514120d3b3999008a7dd254a2a0d26ef0b00398b5d751e1

SHA512
4c01ba9eb30faf9005fdaf8aa68f59317adbc7e84925c43631c2a4695b8d7a9fe8cfef41c0487b5e440bfd9b22b92ffc683b25c44e57a817bd821e2ae75227cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e30bdda8574fcff4254496c0efce5906

SHA1
682747b2a5bd31d180987ce4a220e40e6440800c

SHA256
1696c475320bccfd6f30cfc78c8545e00de56419e8312fed574303232f504863

SHA512
4d6fc09fcfe1272ee85aa9c82a3570b2618847ea4bbfd1d8473b0ace18cf3a0f8b419527e64d9ec2cc500572dce7fb9eeb74dd032490fdeef39f94df48248364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b634ee5e36e6e4ef8831a8e0c73aa0ef

SHA1
e2925ba429a42e50a73ea76effdbe5781e1827d2

SHA256
a0381bd7378cb507226ebe0febcb37a4efef7678cb12e717a2ba6bdd97bd9686

SHA512
a8374fbd7d65a2bbd087e6c36344cd3b0174ba38d1bd2be31ee849fdfd060d133ce68c12d96c37a26403fcabe81c877fbf0948ce98359ef374b15e3ac2ab7f56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b097b0dff5a471194a3b7cd77746eb56

SHA1
89b64ac6729fd27111caa1b2f1c9ebb8799e17ac

SHA256
ce9d14493acf8a90298d4ec1cb75bf45892b524ad4dfda0d9a680a5da4df1308

SHA512
9a97a64a667c5d1f40d17639611b6155067d45c572a4c1a0fa551b8ffd64b02b6e0955468f1f1c9f2cdf55dc72383181e9190656b1fbe266a6b7b2749767bdf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9c7780470b9de873284460f0cc8bb81

SHA1
566d9a891e4c5b3b61f94d902fa237fa786d289e

SHA256
195b3270ba1338fbbde51b0e68ad94a46a4f35f41ceef70c476909b30527cc0a

SHA512
d3e6c4ec1ae40323ec205352d6409cc57d51c5b2178d94185837ab24b8625539e6c04f6c9eba2fff97f2917836979c469224ac00d7b5304ddb80449bf4f8ff63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bb132205338df3c92e2a33c0850a379

SHA1
8272d70777c23460602f4c5e0d6a859438658898

SHA256
65626e9e4e0bfff3c22b174205a19391034726b650a1e5a3e9ba8581aabe32af

SHA512
a5d88dae63f0e4900247a651fe66569ce4a4146aba688a08732a3ce1329ad709bc07752a9dcd6394a33ef76f132b2064d9c2b4da8af37da696ad23b1bf572708

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebfa0562b1f53d2ebf80c34f375e4f4a

SHA1
2f65d52a92992287493400be7b9824be95133ee9

SHA256
bcd1b82d1ebd0fbb3aaa69cc821fdf36120afad5af93fe74dba89c1c3439f19c

SHA512
82e92dbda77db658e2f07493f96d2b9bef390c014753b09fd76dbaea5d9bf0ce52b813583538756b477ed80bf3b27041ad3412c81ab3d2e61560e08c8981189a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat

Filesize
220B

MD5
f1976a0cad02af84074e3cf29eeb12d3

SHA1
50c8ee10e50c436c5ea6a250f4461e2ffe051c9f

SHA256
ded0793567ebd03a5f790554355089ed874bd32d6ec772c0389f903f8279bb0e

SHA512
ded4738a902d4b47baaa3c30e08724602c4536488109d62aa5fba465baf1af0199a043e22295ca2c3e9258429f67ec619cd1fd170e56975e8287b4554acb9646

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIMKRyAEqW.bat

Filesize
220B

MD5
c68f4c3eb7b418a0eaecb6026acbbc79

SHA1
66981463089f19c2c999c5e196000977ca20adcd

SHA256
72086a0a75848eafc680949aa43ca124b44897b64034ba3247e1814d4141faac

SHA512
e3402290b0c4fb06e11a90ee6bcf4428386c64845752563954323a707864f1b2358d45b0c3e1808c1c280aafac4a5c6162e8c2959997dc5ce1f1be473805afe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD886.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat

Filesize
220B

MD5
0842c5bc5339480bb750cc7b5d0ea810

SHA1
f1ad6cb161f9348a81ff0a09b683b3d0451a8793

SHA256
52589954a72d0b86d41056abc4d5f7563b88876f2bb60437669162e8e092183b

SHA512
b14a38ed4eafc709fec766ae316044be28b1bbec7b70540b5885ac6c90354c1359dd19e1bdd1369f82998d789c9cae64504a36a4fcf8a08c8fbd2c5d491b6983

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD898.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat

Filesize
220B

MD5
1a7cddc92cb99e13f52a854c77140324

SHA1
cf9d350be1fc2c356466be1b153fadaa8f977525

SHA256
e587b5a6ea8c4d4ef518ed41b25d678d73425b48a1547e810dd3485ee8138c5c

SHA512
1fd19b89e7b844849624a51882ed6b14ea9c1c09b2bc4fcb47df755f6936b6e53139f1d71efa9c278376761ce816c87593312fbe14fd8a133856771a54d32036

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIQ15LoDrx.bat

Filesize
220B

MD5
76b64ba00724f8605684dc8d2fbf7b48

SHA1
d451274ec095a4ca7f216a82572438cd27e44730

SHA256
8316b1407b9dbc34c930d0f1111d930a6744331722ff0cbbd76e290043094c4d

SHA512
784e1ea32f7c3e2f577cdc8861ea1b090814064b3ae1c09b0a863625bbad4196a4b32ab96909b254dc3a98bb3c1a930f1a917ab2bb0acf0ee0055e52bbe83b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat

Filesize
220B

MD5
1f4c7e3feaabcff1bb5885f89dd686cf

SHA1
cac9ca8bc26e9aef39dd902decb63916e50dce77

SHA256
e11535ae7a4bdc5311ebd6c11c5e3b795cdde34d383dcb369a4bbe44a7e20c89

SHA512
29675090e996a406a331fa2344eec882035a39e188396c2f1cff6effd59e502805a324f44807bfd5b3e21a5e30e873f4620d993d2f16eec4644bf34d9cf0fff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat

Filesize
220B

MD5
41eeb7e3887fb8d3fd0b4bed2674894c

SHA1
4fad1cb3eae898d3c7e9e2a9c1e55e7f913351f3

SHA256
1f8c95dc5a3c59945b426358db016f4f1db7ff6b56812d29adb0ef8310300a85

SHA512
bdca313298d0b601231bb577864802e8a05dea235bc1bdcc0582e6d0ca5968a434c555981e0d3ad2a72fef89d81f08b537a10b488987fe231528c29e371dfc7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rahNklDhXh.bat

Filesize
220B

MD5
8dcc827a71c8773f288ca1036b10195d

SHA1
ed988b4f6b34420a78dc8cad791a5bd2f01e1637

SHA256
656ff4a1a142d3c064e70c75e9773e1e8e06969145539cfd7d4d81918b1e853f

SHA512
8061f94fe2ee21bd48e9a4c35b028c420edf775d95147a4395d71b9790a7cf22d737093a9ad10f2093b2f649a560f68d2317e7c1ffb0e2d7797358082efec3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

Filesize
220B

MD5
913142f9f4f5fa8c0ad34df692314d3d

SHA1
3493b9149c03963e668cb4b568f66de92288583a

SHA256
02ebd95d4c30c9229f6ccc0d90a23168b0d76835178504daa3cbfa0853ee0073

SHA512
1a6d1b660d435a4f05b6c171fd38b1e71d9ed9ca183abdfcc1e8e1a6dc5faf6d45f4ae723533865f72d03db0952e53dc21f9ebf19cf6926f1e7407913a981fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat

Filesize
220B

MD5
5ec50958933888e2c0e9a4554c1515b2

SHA1
d94588529dc7de134a94347dc46d550fbb6b42c8

SHA256
9a0babed5f98cfad4718550a46903c6eaed00d80a6d5dcad5a7d986a2d12a577

SHA512
5f6eef30f9f55ee6ed4e585bcc727f95878a63b36452c5067071e5a3bb4c8f761a145f14893de526ad93f3020b95cabbcd76a8dd3f03c66185c2c356a5f4270e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d929a534cb431c7c2ff7d588f4a8657a

SHA1
b7b23df777d6ad08470d816d5e851afc4d32026a

SHA256
bd1642c6d5f8e41a87c916c75de833c8a182c78e541ac4ae6c99bca5d9f94a73

SHA512
805e10ca93c188a0df6d55f80db61a07d1ee0af7853172dcd7951a9a817ce0378e1d58f312eba9b9fee72280bc60aa2c40fd484111111c96533a5f4b7770e78d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1124-302-0x0000000000270000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download
memory/1164-54-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/1164-53-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/1616-122-0x0000000000F10000-0x0000000001020000-memory.dmp

Filesize
1.1MB

Download
memory/2056-362-0x0000000000F90000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download
memory/2144-422-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/2392-242-0x0000000001240000-0x0000000001350000-memory.dmp

Filesize
1.1MB

Download
memory/2640-181-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/2640-182-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2784-601-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/2992-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2992-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2992-15-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2992-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2992-13-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/3016-541-0x0000000000FB0000-0x00000000010C0000-memory.dmp

Filesize
1.1MB

Download