dcrat | a05630f9e9a8e007ee8b241259cb6d00ea7b6d7bd2f3534f7342de513a385f5a

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a05630f9e9a8e007ee8b241259cb6d00ea7b6d7bd2f3534f7342de513a385f5a.exe
Size

1.3MB
MD5

59ea906dfd5594c1953ff75a64d85fee
SHA1

faf20d2e2669174df2e9c5db6c864d5ed5ebbf35
SHA256

a05630f9e9a8e007ee8b241259cb6d00ea7b6d7bd2f3534f7342de513a385f5a
SHA512

581fc70c2a546ca829fc791592a28ff9b8c5408481d31b7f729d3aae328695f68d160e47c6db3ba335fe51ca35c857ebc27da939492e47150923a84a346c646f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2764	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015da7-11.dat	dcrat
behavioral1/memory/2240-13-0x0000000000B80000-0x0000000000C90000-memory.dmp	dcrat
behavioral1/memory/2524-122-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/2124-181-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/620-241-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/2088-301-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2232-361-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat
behavioral1/memory/2772-539-0x0000000000BE0000-0x0000000000CF0000-memory.dmp	dcrat
behavioral1/memory/1032-599-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/1448-659-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2104	powershell.exe
1724	powershell.exe
1052	powershell.exe
1916	powershell.exe
640	powershell.exe
944	powershell.exe
2484	powershell.exe
2568	powershell.exe
1748	powershell.exe
3044	powershell.exe
1696	powershell.exe
1756	powershell.exe
1832	powershell.exe
620	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2240	DllCommonsvc.exe
2524	lsm.exe
2124	lsm.exe
620	lsm.exe
2088	lsm.exe
2232	lsm.exe
592	lsm.exe
2060	lsm.exe
2772	lsm.exe
1032	lsm.exe
1448	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2812	cmd.exe
2812	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
34	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\es-ES\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\de-DE\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\de-DE\a76d7bf15d8370	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Boot\Fonts\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Help\mui\0411\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Help\mui\0411\b75386f1303e64	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a05630f9e9a8e007ee8b241259cb6d00ea7b6d7bd2f3534f7342de513a385f5a.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
580	schtasks.exe
2032	schtasks.exe
2996	schtasks.exe
3036	schtasks.exe
1328	schtasks.exe
2040	schtasks.exe
1000	schtasks.exe
2192	schtasks.exe
1376	schtasks.exe
448	schtasks.exe
1208	schtasks.exe
1752	schtasks.exe
1932	schtasks.exe
1008	schtasks.exe
2628	schtasks.exe
2376	schtasks.exe
1176	schtasks.exe
1064	schtasks.exe
2844	schtasks.exe
1880	schtasks.exe
1312	schtasks.exe
2620	schtasks.exe
484	schtasks.exe
1284	schtasks.exe
3052	schtasks.exe
960	schtasks.exe
1912	schtasks.exe
1900	schtasks.exe
2888	schtasks.exe
2432	schtasks.exe
2720	schtasks.exe
2452	schtasks.exe
1556	schtasks.exe
536	schtasks.exe
2708	schtasks.exe
2992	schtasks.exe
2408	schtasks.exe
2000	schtasks.exe
2960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2240	DllCommonsvc.exe
1052	powershell.exe
2104	powershell.exe
1748	powershell.exe
1756	powershell.exe
1916	powershell.exe
1832	powershell.exe
3044	powershell.exe
2568	powershell.exe
640	powershell.exe
2484	powershell.exe
1724	powershell.exe
1696	powershell.exe
944	powershell.exe
620	powershell.exe
2524	lsm.exe
2124	lsm.exe
620	lsm.exe
2088	lsm.exe
2232	lsm.exe
592	lsm.exe
2060	lsm.exe
2772	lsm.exe
1032	lsm.exe
1448	lsm.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	DllCommonsvc.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	2524	lsm.exe
Token: SeDebugPrivilege	2124	lsm.exe
Token: SeDebugPrivilege	620	lsm.exe
Token: SeDebugPrivilege	2088	lsm.exe
Token: SeDebugPrivilege	2232	lsm.exe
Token: SeDebugPrivilege	592	lsm.exe
Token: SeDebugPrivilege	2060	lsm.exe
Token: SeDebugPrivilege	2772	lsm.exe
Token: SeDebugPrivilege	1032	lsm.exe
Token: SeDebugPrivilege	1448	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 3064	1884	JaffaCakes118_a05630f9e9a8e007ee8b241259cb6d00ea7b6d7bd2f3534f7342de513a385f5a.exe	30
PID 1884 wrote to memory of 3064	1884	JaffaCakes118_a05630f9e9a8e007ee8b241259cb6d00ea7b6d7bd2f3534f7342de513a385f5a.exe	30
PID 1884 wrote to memory of 3064	1884	JaffaCakes118_a05630f9e9a8e007ee8b241259cb6d00ea7b6d7bd2f3534f7342de513a385f5a.exe	30
PID 1884 wrote to memory of 3064	1884	JaffaCakes118_a05630f9e9a8e007ee8b241259cb6d00ea7b6d7bd2f3534f7342de513a385f5a.exe	30
PID 3064 wrote to memory of 2812	3064	WScript.exe	31
PID 3064 wrote to memory of 2812	3064	WScript.exe	31
PID 3064 wrote to memory of 2812	3064	WScript.exe	31
PID 3064 wrote to memory of 2812	3064	WScript.exe	31
PID 2812 wrote to memory of 2240	2812	cmd.exe	33
PID 2812 wrote to memory of 2240	2812	cmd.exe	33
PID 2812 wrote to memory of 2240	2812	cmd.exe	33
PID 2812 wrote to memory of 2240	2812	cmd.exe	33
PID 2240 wrote to memory of 944	2240	DllCommonsvc.exe	74
PID 2240 wrote to memory of 944	2240	DllCommonsvc.exe	74
PID 2240 wrote to memory of 944	2240	DllCommonsvc.exe	74
PID 2240 wrote to memory of 2104	2240	DllCommonsvc.exe	75
PID 2240 wrote to memory of 2104	2240	DllCommonsvc.exe	75
PID 2240 wrote to memory of 2104	2240	DllCommonsvc.exe	75
PID 2240 wrote to memory of 1724	2240	DllCommonsvc.exe	76
PID 2240 wrote to memory of 1724	2240	DllCommonsvc.exe	76
PID 2240 wrote to memory of 1724	2240	DllCommonsvc.exe	76
PID 2240 wrote to memory of 640	2240	DllCommonsvc.exe	77
PID 2240 wrote to memory of 640	2240	DllCommonsvc.exe	77
PID 2240 wrote to memory of 640	2240	DllCommonsvc.exe	77
PID 2240 wrote to memory of 1696	2240	DllCommonsvc.exe	78
PID 2240 wrote to memory of 1696	2240	DllCommonsvc.exe	78
PID 2240 wrote to memory of 1696	2240	DllCommonsvc.exe	78
PID 2240 wrote to memory of 1052	2240	DllCommonsvc.exe	79
PID 2240 wrote to memory of 1052	2240	DllCommonsvc.exe	79
PID 2240 wrote to memory of 1052	2240	DllCommonsvc.exe	79
PID 2240 wrote to memory of 1756	2240	DllCommonsvc.exe	80
PID 2240 wrote to memory of 1756	2240	DllCommonsvc.exe	80
PID 2240 wrote to memory of 1756	2240	DllCommonsvc.exe	80
PID 2240 wrote to memory of 2484	2240	DllCommonsvc.exe	81
PID 2240 wrote to memory of 2484	2240	DllCommonsvc.exe	81
PID 2240 wrote to memory of 2484	2240	DllCommonsvc.exe	81
PID 2240 wrote to memory of 1748	2240	DllCommonsvc.exe	82
PID 2240 wrote to memory of 1748	2240	DllCommonsvc.exe	82
PID 2240 wrote to memory of 1748	2240	DllCommonsvc.exe	82
PID 2240 wrote to memory of 1916	2240	DllCommonsvc.exe	83
PID 2240 wrote to memory of 1916	2240	DllCommonsvc.exe	83
PID 2240 wrote to memory of 1916	2240	DllCommonsvc.exe	83
PID 2240 wrote to memory of 2568	2240	DllCommonsvc.exe	84
PID 2240 wrote to memory of 2568	2240	DllCommonsvc.exe	84
PID 2240 wrote to memory of 2568	2240	DllCommonsvc.exe	84
PID 2240 wrote to memory of 3044	2240	DllCommonsvc.exe	85
PID 2240 wrote to memory of 3044	2240	DllCommonsvc.exe	85
PID 2240 wrote to memory of 3044	2240	DllCommonsvc.exe	85
PID 2240 wrote to memory of 1832	2240	DllCommonsvc.exe	86
PID 2240 wrote to memory of 1832	2240	DllCommonsvc.exe	86
PID 2240 wrote to memory of 1832	2240	DllCommonsvc.exe	86
PID 2240 wrote to memory of 620	2240	DllCommonsvc.exe	87
PID 2240 wrote to memory of 620	2240	DllCommonsvc.exe	87
PID 2240 wrote to memory of 620	2240	DllCommonsvc.exe	87
PID 2240 wrote to memory of 1164	2240	DllCommonsvc.exe	102
PID 2240 wrote to memory of 1164	2240	DllCommonsvc.exe	102
PID 2240 wrote to memory of 1164	2240	DllCommonsvc.exe	102
PID 1164 wrote to memory of 912	1164	cmd.exe	104
PID 1164 wrote to memory of 912	1164	cmd.exe	104
PID 1164 wrote to memory of 912	1164	cmd.exe	104
PID 1164 wrote to memory of 2524	1164	cmd.exe	106
PID 1164 wrote to memory of 2524	1164	cmd.exe	106
PID 1164 wrote to memory of 2524	1164	cmd.exe	106
PID 2524 wrote to memory of 772	2524	lsm.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a05630f9e9a8e007ee8b241259cb6d00ea7b6d7bd2f3534f7342de513a385f5a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a05630f9e9a8e007ee8b241259cb6d00ea7b6d7bd2f3534f7342de513a385f5a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\fonts\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\de-DE\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\mui\0411\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XBgflplWVG.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1164
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:912
      - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"
        7⤵
        
        PID:772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1732
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"
        9⤵
        
        PID:2768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2676
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"
        11⤵
        
        PID:2392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:804
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"
        13⤵
        
        PID:1340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2516
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"
        15⤵
        
        PID:2188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:348
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat"
        17⤵
        
        PID:1208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2948
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"
        19⤵
        
        PID:2384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2148
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
        21⤵
        
        PID:328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:780
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
        23⤵
        
        PID:2116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:944
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\de-DE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\mui\0411\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Help\mui\0411\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\mui\0411\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Default\NetHood\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\NetHood\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60f7067604d042c1171a623c06a417b6

SHA1
fcc00fec402081a740ba520bd394a8ab1020e7cf

SHA256
7cf0f64f456e66728234d6bc2ae09026b7ee36ddb8b2998a57156bbe172c50a7

SHA512
3eaf0f27a3bc6d3c35d8ff6115490bc2fd013725daea2061103e8bd896b4e079de55c97ced1db70c002132f8f5beb8442c63b011b86b7f2ff1df5416070b4c6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1c0c33ff0b72452b06aa5309a410d20

SHA1
4ec93ed4cd8c69459dfbbc4c1c436bda811bbd52

SHA256
cc7477a2e07ef44005882baa970f999112a5220f157b671a5f6e82ba3125b96a

SHA512
068679dc43295dcdde95f69eefe9cba6aca19e7af0d94b773b8c76a45e3fae2bbafd8d5d4fa41065a1a3b2e43759fbf93ca9226b8f79dc453efdc81245345fee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a2c1b9eda107e072337c590d8cc3112

SHA1
0e74f363c1f3afd4aa7659288576c936c457a438

SHA256
7c2c6ecbc29cd52d608fbc3e413235e897db41e4e109815445e5ed4e826d19cb

SHA512
84279b53fec3653120e14ce65bcba3f852c8fe59fdebeeb5a76597e73ee38923c2ae0196bff968b9eacd98aab382b54ac776c01dcc18143d9c470e41ca13aca4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b489e7198572c4347df8b8b38f92d52

SHA1
88acaca3a22baf4a5b707f6565d2e6d08f7b00b2

SHA256
9f52207cfb02863b3ba7b7071fc95efaedcf1123ef4ffc0bc4fb8834fb559de8

SHA512
4abfe2f162042f8cf02fd7ed2dd0c0e4a750772529ecd089e60f94fe1bc9cf599938c21aa04b947287877054c0269617e0e787b1c86b2dab0960b7d107bc5095

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea85bd2b3359a4612220dff899a48ef2

SHA1
90129a65f5245b0b675e599ee5a4ba190462a546

SHA256
e90f63d37cf42daa7c0ca921de133d50f7c4f12fadd6b5db594089f83eb49bb0

SHA512
0897bd3907bc25fcd8e5499f653678d8100ddcdd15dd12afcb25e06be468d9cd4340652389ddb976a500a02d893044b1569ac2e4c295c36b5b95bf54e1df45f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2f1c92a36dd4b72c3b0df4dad0e1041

SHA1
3b8092a3936e4a85dbef0542a0329ceb9098c1a8

SHA256
3c097dcfc5b991fde2530f507b13530bf3b454ace68b311371669c1bb5bce9c0

SHA512
bde5bc839a122ee7eda0e269f863689035aeb573f2973a18e5eb4555aaedf64a4d05bb0c1e8f80005b12f4bf96fd52bffa602ec8dc0dd21f80e510f5dc25e8cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4979b47b0ce9e4539bef75dbad9e99f8

SHA1
0ecec2351397cb2298586f721c7674ebef05c6c6

SHA256
d872ddd1005561123cf9248a3c38eaca74dfcd525aa76d56ec8b320fdf27604b

SHA512
7c31a63fcf3feba3d86b06893bc3d93e090edc145d9b20a836b7646bc6fcb4a2fcb6f7d25fbdf90e27d8d9aa0455f074102e86b41903a75fb93d6a17b10c148e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4a1648d4754933ddc71308e4ccd9943

SHA1
32ea27ff8a61cb32453abf520811353a83774f08

SHA256
e7184178419f75a7f82c45b77e82bf2d04ea10ed6ae6cbf8ea97fb4e056db83e

SHA512
7b806d6f56c9725bfe3d68c1c72e213680a7ece70568aa4b42b935884ef57fc988a220d5d47319fdff3773a14f857f7cb6e3c3d23aa434198fbf2f05d8511811

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat

Filesize
221B

MD5
a777b3bb0c6dbc1664466794502265dc

SHA1
125a47dc02fe894f47a42de4f8a6710656395b50

SHA256
052f4ead4f9eb695cd8428561d6785c1bd01fe585f54011452bbd66137bf9eea

SHA512
8bc3e63aafabb272a2a2cf009bcd233b676a543408ce0aefca5c719f256d1a8db58aa37985714cfacaa8fc2acc5807ce3326a8a0e1ca6dd496749287266e61fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1306.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat

Filesize
221B

MD5
5cba73ae539a2b289785c6491201e70e

SHA1
2cc17c4e04c2e9bd81649a7de835d7d3bd9390f4

SHA256
c059ce49354af4d152a95a5ebaea5b8a6d19322b3b94c7a9120b5fed24905760

SHA512
036309fde1adb31aa02d483e5360071b804dd7ac985d03a4f0217018495dfde7ff0e97f72fe66fd5c69e5deed2bd6e5ed3e45b91e62216c73b000ce2095cad58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1328.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat

Filesize
221B

MD5
e807a6be61875f4435470262dfdcaee9

SHA1
b6f09373c8b5d6bf578d792c8dd1be1cb87e8302

SHA256
10e69786ad5c1de1c7af05ab0c4c19e8d1eb7bad60f39b3533f882d60701b08d

SHA512
0b4f3749646150ad006892ae048019cf3761426bed7c61f4ca7e7e02c611eabe6e785c0f236e9b008dda2a41a232943a28c9f4c8e2b949ebfecc8bd89d7cf5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBgflplWVG.bat

Filesize
221B

MD5
8b2a449557e17b58c2f07f3888458e79

SHA1
c39501fdf8f84db233f0baba6bf4b1cc53288933

SHA256
22f86807bb76b7622aa33265f2757bc69eca3c421a17f5659ed4ae08d2cd3858

SHA512
2905158fdc3ba9e25e5c9ae1ed117c34918a861e9a5f5ece92c0c49ebbf5557539d4f91c812b991d5f8a66659504cea972ce7ef1cfaea639876dbed91a1504f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat

Filesize
221B

MD5
d757618224a8a7aa7fc47275240f5d12

SHA1
83a631a978e5c9d9bc80ab49282b959e7c1d3485

SHA256
d5fdbfa8300783a4f2eabb5a1d7e2d00e4a7e7004dc78e2f59c7afe5543f0dcd

SHA512
b575d181b9edb7d28260462fa9611d802c2a03b2b40367d865759d5b15c1bead4160dacde47bf7003572def1a609e98a52a35d645d3052532c105d10ea37cfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat

Filesize
221B

MD5
e0639f4df707e173bc542b3fa7e18315

SHA1
e327f64f770a7f336ab332f56765fe8649c036e1

SHA256
832c50b899d0e1cdb4c40170ef234938945dffe0948c442d009306e75c136828

SHA512
ca14a94c4d918e9fe67fff2039859c214fb1ab4944313167dd27532b6e909b9051e8155182bd4d705b9185bb634bb98cd455d18a70c07935465317427ee4c5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat

Filesize
221B

MD5
5b1f5b69a2a94ef2a19090bf6f14a069

SHA1
6b43f4f67557829c14c68c2753634058f271a34d

SHA256
5f1b3b687cc356ef53fde6a73d48b3edd8b97e7f374d2bfab2162f5f8c2d5f96

SHA512
d211a7cb95f6b33a4398dadd9dccecdd1d7cee1313a46d459f84554dc9e55ac01c448a2c39e4108e0e6172b734df40859f6fa87561105dd5fd6bd0080d035336

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat

Filesize
221B

MD5
2dc8e5621f4d1b77d02c41c1dcaf328a

SHA1
a0dad9057e316bee5894928bfc14df2978d2678d

SHA256
d0dd1c614b7f4b044a5029e0c599ac0dcea28f2166b1c72d73dc2301b954c18e

SHA512
de42acb2799b52a634e480b536de4586175cb9df0cf8f5af2ab1ab76d5a4d8e4c23a0bf2bbe8d1dcb8ab33cfdf7f72dcde67d5eb623776b128ae525c05df9723

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat

Filesize
221B

MD5
81313ddf9ec5b75633b0aa333d640b93

SHA1
4061983270518e6b241a7b7e33f769bf69a08a77

SHA256
998ee12a7065cb12b22a898260df5bd442eedf02c7802a2a06ae633050e3e973

SHA512
f754ef3404bc23235d243e26c7cabbb0b083756762255b1c8c923d933c8306e723ea959b97ea8a5bc6bf5e6ed5e69a4382aa107bb6c62de09e30cbec92ae370e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat

Filesize
221B

MD5
8a0af152f2f7c90ff290fa4e8b48c6ae

SHA1
fc082bbe65d6794e0a34174c29c946b3c8271c32

SHA256
49b4a18ed43fcb28e3be284bde71906781d4dc0ad99cf7fb3e5eb2cbb2b28e59

SHA512
23f684e10f1b4e9bf09af99a1253a23cb6a5cd3b25e29da269246ffb348171aae0ca9052d924cda51dc323088f310cbf02ac506ed63269419e51f593114b9495

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5fda1e4c68dd7c0495ca00c865b562f3

SHA1
64a571b47efa5745a66275a8ee84f52906bd4fbe

SHA256
85d36c7ad63b04878aa2477eeb37f6a216882bd326bf9758726053d81a3f83b8

SHA512
5a8f3bac4ddeee1bf483dfa5fc5bf489cf3ccfc7c5cb830debca1d11bb5f242998234f03be556f96aa3db8edb0ed362307c9093abc1b3fa52b27e8268421c05f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/620-241-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/1032-599-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/1052-58-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/1448-660-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1448-659-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/2088-301-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2104-59-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2124-181-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2232-361-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download
memory/2240-13-0x0000000000B80000-0x0000000000C90000-memory.dmp

Filesize
1.1MB

Download
memory/2240-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2240-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2240-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2240-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2524-122-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/2772-539-0x0000000000BE0000-0x0000000000CF0000-memory.dmp

Filesize
1.1MB

Download