dcrat | 0ab4789a2e415738478f223ba752e413c45b7850ca806a958cc2704a338366a6

Analysis

max time kernel
146s
max time network
142s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0ab4789a2e415738478f223ba752e413c45b7850ca806a958cc2704a338366a6.exe
Size

1.3MB
MD5

898755334a06025b7f799ce8da4beae2
SHA1

5a3e9ff8baf41b0d51b6d683cfc30cfff3afe883
SHA256

0ab4789a2e415738478f223ba752e413c45b7850ca806a958cc2704a338366a6
SHA512

34e1f182aa3dd001dc4470721edc7a1198716f5a9d5176a041d59b31f2bb89ea0943c9c777be6787a1a15b8155a6bfb1a55a472949ac89594d354947639ad6a2
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2880	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2880	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016c88-9.dat	dcrat
behavioral1/memory/2212-13-0x0000000001340000-0x0000000001450000-memory.dmp	dcrat
behavioral1/memory/2220-53-0x0000000000EB0000-0x0000000000FC0000-memory.dmp	dcrat
behavioral1/memory/1568-173-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/1812-292-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/1488-352-0x00000000009E0000-0x0000000000AF0000-memory.dmp	dcrat
behavioral1/memory/2680-412-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat
behavioral1/memory/2816-472-0x00000000011C0000-0x00000000012D0000-memory.dmp	dcrat
behavioral1/memory/1700-592-0x00000000012E0000-0x00000000013F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
900	powershell.exe
492	powershell.exe
2164	powershell.exe
1772	powershell.exe
2484	powershell.exe
2504	powershell.exe
948	powershell.exe
768	powershell.exe
1036	powershell.exe
2372	powershell.exe
1776	powershell.exe
880	powershell.exe
1720	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2212	DllCommonsvc.exe
2220	lsm.exe
1568	lsm.exe
2052	lsm.exe
1812	lsm.exe
1488	lsm.exe
2680	lsm.exe
2816	lsm.exe
2072	lsm.exe
1700	lsm.exe
2044	lsm.exe
2480	lsm.exe
2744	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2620	cmd.exe
2620	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
36	raw.githubusercontent.com
40	raw.githubusercontent.com
5	raw.githubusercontent.com
25	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\0a1fd5f707cd16	DllCommonsvc.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\fr-FR\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\fr-FR\taskhost.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\addins\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\addins\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\ja-JP\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\101b941d020240	DllCommonsvc.exe
File created	C:\Windows\schemas\EAPMethods\dllhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0ab4789a2e415738478f223ba752e413c45b7850ca806a958cc2704a338366a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2656	schtasks.exe
2788	schtasks.exe
2960	schtasks.exe
2744	schtasks.exe
2936	schtasks.exe
1292	schtasks.exe
2084	schtasks.exe
896	schtasks.exe
2996	schtasks.exe
2460	schtasks.exe
2228	schtasks.exe
1856	schtasks.exe
1788	schtasks.exe
1412	schtasks.exe
612	schtasks.exe
2828	schtasks.exe
1660	schtasks.exe
2244	schtasks.exe
2160	schtasks.exe
916	schtasks.exe
1624	schtasks.exe
1716	schtasks.exe
856	schtasks.exe
2688	schtasks.exe
1600	schtasks.exe
2012	schtasks.exe
1452	schtasks.exe
864	schtasks.exe
2660	schtasks.exe
2712	schtasks.exe
980	schtasks.exe
1928	schtasks.exe
1708	schtasks.exe
2328	schtasks.exe
2548	schtasks.exe
2940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2212	DllCommonsvc.exe
2212	DllCommonsvc.exe
2212	DllCommonsvc.exe
2484	powershell.exe
880	powershell.exe
1036	powershell.exe
768	powershell.exe
1720	powershell.exe
2504	powershell.exe
2164	powershell.exe
948	powershell.exe
1776	powershell.exe
492	powershell.exe
2372	powershell.exe
900	powershell.exe
1772	powershell.exe
2220	lsm.exe
1568	lsm.exe
2052	lsm.exe
1812	lsm.exe
1488	lsm.exe
2680	lsm.exe
2816	lsm.exe
2072	lsm.exe
1700	lsm.exe
2044	lsm.exe
2480	lsm.exe
2744	lsm.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	DllCommonsvc.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	492	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2220	lsm.exe
Token: SeDebugPrivilege	1568	lsm.exe
Token: SeDebugPrivilege	2052	lsm.exe
Token: SeDebugPrivilege	1812	lsm.exe
Token: SeDebugPrivilege	1488	lsm.exe
Token: SeDebugPrivilege	2680	lsm.exe
Token: SeDebugPrivilege	2816	lsm.exe
Token: SeDebugPrivilege	2072	lsm.exe
Token: SeDebugPrivilege	1700	lsm.exe
Token: SeDebugPrivilege	2044	lsm.exe
Token: SeDebugPrivilege	2480	lsm.exe
Token: SeDebugPrivilege	2744	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2580	2096	JaffaCakes118_0ab4789a2e415738478f223ba752e413c45b7850ca806a958cc2704a338366a6.exe	30
PID 2096 wrote to memory of 2580	2096	JaffaCakes118_0ab4789a2e415738478f223ba752e413c45b7850ca806a958cc2704a338366a6.exe	30
PID 2096 wrote to memory of 2580	2096	JaffaCakes118_0ab4789a2e415738478f223ba752e413c45b7850ca806a958cc2704a338366a6.exe	30
PID 2096 wrote to memory of 2580	2096	JaffaCakes118_0ab4789a2e415738478f223ba752e413c45b7850ca806a958cc2704a338366a6.exe	30
PID 2580 wrote to memory of 2620	2580	WScript.exe	31
PID 2580 wrote to memory of 2620	2580	WScript.exe	31
PID 2580 wrote to memory of 2620	2580	WScript.exe	31
PID 2580 wrote to memory of 2620	2580	WScript.exe	31
PID 2620 wrote to memory of 2212	2620	cmd.exe	33
PID 2620 wrote to memory of 2212	2620	cmd.exe	33
PID 2620 wrote to memory of 2212	2620	cmd.exe	33
PID 2620 wrote to memory of 2212	2620	cmd.exe	33
PID 2212 wrote to memory of 2164	2212	DllCommonsvc.exe	71
PID 2212 wrote to memory of 2164	2212	DllCommonsvc.exe	71
PID 2212 wrote to memory of 2164	2212	DllCommonsvc.exe	71
PID 2212 wrote to memory of 1036	2212	DllCommonsvc.exe	72
PID 2212 wrote to memory of 1036	2212	DllCommonsvc.exe	72
PID 2212 wrote to memory of 1036	2212	DllCommonsvc.exe	72
PID 2212 wrote to memory of 492	2212	DllCommonsvc.exe	73
PID 2212 wrote to memory of 492	2212	DllCommonsvc.exe	73
PID 2212 wrote to memory of 492	2212	DllCommonsvc.exe	73
PID 2212 wrote to memory of 1720	2212	DllCommonsvc.exe	74
PID 2212 wrote to memory of 1720	2212	DllCommonsvc.exe	74
PID 2212 wrote to memory of 1720	2212	DllCommonsvc.exe	74
PID 2212 wrote to memory of 900	2212	DllCommonsvc.exe	77
PID 2212 wrote to memory of 900	2212	DllCommonsvc.exe	77
PID 2212 wrote to memory of 900	2212	DllCommonsvc.exe	77
PID 2212 wrote to memory of 880	2212	DllCommonsvc.exe	78
PID 2212 wrote to memory of 880	2212	DllCommonsvc.exe	78
PID 2212 wrote to memory of 880	2212	DllCommonsvc.exe	78
PID 2212 wrote to memory of 1776	2212	DllCommonsvc.exe	80
PID 2212 wrote to memory of 1776	2212	DllCommonsvc.exe	80
PID 2212 wrote to memory of 1776	2212	DllCommonsvc.exe	80
PID 2212 wrote to memory of 1772	2212	DllCommonsvc.exe	81
PID 2212 wrote to memory of 1772	2212	DllCommonsvc.exe	81
PID 2212 wrote to memory of 1772	2212	DllCommonsvc.exe	81
PID 2212 wrote to memory of 768	2212	DllCommonsvc.exe	82
PID 2212 wrote to memory of 768	2212	DllCommonsvc.exe	82
PID 2212 wrote to memory of 768	2212	DllCommonsvc.exe	82
PID 2212 wrote to memory of 948	2212	DllCommonsvc.exe	83
PID 2212 wrote to memory of 948	2212	DllCommonsvc.exe	83
PID 2212 wrote to memory of 948	2212	DllCommonsvc.exe	83
PID 2212 wrote to memory of 2504	2212	DllCommonsvc.exe	84
PID 2212 wrote to memory of 2504	2212	DllCommonsvc.exe	84
PID 2212 wrote to memory of 2504	2212	DllCommonsvc.exe	84
PID 2212 wrote to memory of 2484	2212	DllCommonsvc.exe	85
PID 2212 wrote to memory of 2484	2212	DllCommonsvc.exe	85
PID 2212 wrote to memory of 2484	2212	DllCommonsvc.exe	85
PID 2212 wrote to memory of 2372	2212	DllCommonsvc.exe	86
PID 2212 wrote to memory of 2372	2212	DllCommonsvc.exe	86
PID 2212 wrote to memory of 2372	2212	DllCommonsvc.exe	86
PID 2212 wrote to memory of 2220	2212	DllCommonsvc.exe	98
PID 2212 wrote to memory of 2220	2212	DllCommonsvc.exe	98
PID 2212 wrote to memory of 2220	2212	DllCommonsvc.exe	98
PID 2220 wrote to memory of 2936	2220	lsm.exe	99
PID 2220 wrote to memory of 2936	2220	lsm.exe	99
PID 2220 wrote to memory of 2936	2220	lsm.exe	99
PID 2936 wrote to memory of 1860	2936	cmd.exe	101
PID 2936 wrote to memory of 1860	2936	cmd.exe	101
PID 2936 wrote to memory of 1860	2936	cmd.exe	101
PID 2936 wrote to memory of 1568	2936	cmd.exe	102
PID 2936 wrote to memory of 1568	2936	cmd.exe	102
PID 2936 wrote to memory of 1568	2936	cmd.exe	102
PID 1568 wrote to memory of 2068	1568	lsm.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ab4789a2e415738478f223ba752e413c45b7850ca806a958cc2704a338366a6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ab4789a2e415738478f223ba752e413c45b7850ca806a958cc2704a338366a6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\ja-JP\lsm.exe
        
        "C:\Windows\ja-JP\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1860
        
        C:\Windows\ja-JP\lsm.exe
        
        "C:\Windows\ja-JP\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"
        8⤵
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2228
        
        C:\Windows\ja-JP\lsm.exe
        
        "C:\Windows\ja-JP\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"
        10⤵
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1556
        
        C:\Windows\ja-JP\lsm.exe
        
        "C:\Windows\ja-JP\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat"
        12⤵
        
        PID:1692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2948
        
        C:\Windows\ja-JP\lsm.exe
        
        "C:\Windows\ja-JP\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"
        14⤵
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1728
        
        C:\Windows\ja-JP\lsm.exe
        
        "C:\Windows\ja-JP\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"
        16⤵
        
        PID:2264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2016
        
        C:\Windows\ja-JP\lsm.exe
        
        "C:\Windows\ja-JP\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"
        18⤵
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1084
        
        C:\Windows\ja-JP\lsm.exe
        
        "C:\Windows\ja-JP\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"
        20⤵
        
        PID:1580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1488
        
        C:\Windows\ja-JP\lsm.exe
        
        "C:\Windows\ja-JP\lsm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"
        22⤵
        
        PID:2020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:568
        
        C:\Windows\ja-JP\lsm.exe
        
        "C:\Windows\ja-JP\lsm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat"
        24⤵
        
        PID:2428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1832
        
        C:\Windows\ja-JP\lsm.exe
        
        "C:\Windows\ja-JP\lsm.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"
        26⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2392
        
        C:\Windows\ja-JP\lsm.exe
        
        "C:\Windows\ja-JP\lsm.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\fr-FR\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Local Settings\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56efbfcf23b3d68060529ed958915583

SHA1
74d2a2e8be02a911a749a1f7695181e982ceacf6

SHA256
393e5007cc32071546c16cdb595b967cad3892354b9179672cb4e31be5503bdd

SHA512
1a01a40e79ee6368036c11871f50104cf1eda5d2c4eeb9b68143011cc5b23c5156c4c916863ececde8afef887a514e715bdb003293faba36131699d83cc7077a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8613d25fedc5eca1cd93eb783439fe77

SHA1
34f88bdf430f607d5301aaf0dc4cc923093ca36a

SHA256
180f4cb1ca0ce7579c4a0fe9ab278c6b279df057d0af3191a5ef663f491276cf

SHA512
fa3401d3fff5690d4f61a0c935b528c884827a374b971141bb926db11de6934ea453f84b59f812a21daa2199b08526179bbad43ea17ef43c810e605d74fa9160

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d77085a1a1e7adf1807a18e18a1baf9c

SHA1
8ba186b75602b8788de76d4b1d060dfb65ec7ef3

SHA256
309f2b4e8fe8bf30b3d2c8c96393240a961cf9b6f0fd6277ad6cbbeac5973818

SHA512
b000fcee64df2c7a2c961559badf5852a8e501f83a705cbf99c096bc1cabd329cb7e74adf9204f27ccbadf45d9c078d0ed4fd8d4a2adbf4b94d21bd238a4b0de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09cbdddb47f0c949250faff506f75f73

SHA1
c1da210fe2d65f7c5cd7a0b5ead862129acc3a7d

SHA256
0b5e4b02dd5197d282acf4ff2209ab46f16c852c364d0805d162197da9da4299

SHA512
26a7204235fdb8130c3d1172590a892e62838f0a6fcbd407bee4c6f5c26a5f4af4112528895356f70373bd82935af254e307e73d2c049b9a2bc14c1a0a4453d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70fdf9962e5005fd1a1a7ea5e65759a2

SHA1
261e71c65ef8ab8b25427562ea3359305ff0d483

SHA256
c218b914d271977ee73077020b5a0e1e945512cedb2d14f1cf36ca36964e2582

SHA512
d68100679bdcc5624c523505d61c25eb28467226128051428085efb07d0c3d34a7ea222f003461cc2fcfe8eeb34a6ba26a79c38081639c251656b6073a91ba59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed1113c45f229e15c6d72b51f78511cd

SHA1
c1165b7f2fd10c7a7312898242506b99f3e9c8f3

SHA256
192cc5d982dbecb9fa64a875b10965e59a9f0434ed2c588df6c41f18707147f7

SHA512
8e57bccf0afe06ffaa9c66f36ed412855917455d8e08fd34993d6c65763c2d1da566b4cc0bd1365ca351644c42b94371c4e820092974edbe0a8f1f58119bd04d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31dcdab5ed60e8a184cce9bcf023027d

SHA1
e918093800ed74da9427046047d818259402034a

SHA256
51a1b2f649a4d07c0234b0ef8705f4d8b7367409a068c467c6ff3cdd487286a9

SHA512
59ab4bd8c42efaa802b780dcbb289f57bf2e445e69437d86c7a202d4ca0f6097b455d9b18e27177de1225d13e2a69a8e1d4ad4224f14041dc504714b613cc59a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6805f48887d2954c2547125f245c491c

SHA1
59637fdef000aa5f595dfc2ec0f7ebae61f3ec39

SHA256
f14991616c4a64f95dd922afcd282c60d89112186da5c4d200d371fc6f610741

SHA512
8a44e66d14541a12a2954b31f7247fda436efad2e5ff4eb1707ccb10cf11f6a79391852633d8f07cc2e15ffba860dc7b3d63153182816c76c7a63c2785fe616d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1aaab1a7d6af8ce137f61e096d3f953

SHA1
943982d01fa260104f8f8fdef1f6f4efc615ce86

SHA256
1af8d4ce611db796025b55153111adeea2998413d4fd98cb2be76bb36077ad15

SHA512
a2bf78f534aae254994a37883b961192196049dd08c0844d0a86e1a8c1ac3bb4575dcfb6124689c445c2844de59bbb161253dbfe878c9f2ba6b65690c76b030c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f13fd37b9e92df137313021032f8370

SHA1
9496ea5bec9cecda8d0beeb13f7ae334f65e98ba

SHA256
3bde95d9124a919dff6be720fcfff4d12f451fae24768a21581b841310800923

SHA512
92731d3d156a3f56ad0b91b6a856e778f0fe2b4caa158d17ea836b33878807d0d50a854d5e08bfa6e7c7ebef15a86f5f1c6c28cac4907d0e389947f75ab10a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat

Filesize
189B

MD5
60bc83ceb2e428507bbdcdf5a2b58af4

SHA1
d051020055529cdf19326c4e6fbe40b190ac59ed

SHA256
c78d04b4918ba371c67d469cdf11a2386e339595bed1d98e1e30e8a64a2926ae

SHA512
42a037ad4522fcacb90a06b5feb76fafd4c1826296232c2b1bf6b4f80bbda5db89b9fabe6cdfdba6da097f1bbe178338f8070bf0ca01c587e389571a2f37aff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEB1C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat

Filesize
189B

MD5
cfef3f72857148059740bc08cdd6ea38

SHA1
bb3bb85d7e0b3fbd710ec2abf9b10958422527b3

SHA256
5ae29a0ac777cab00484b65a84409bcaa21097089ec812ee5204aa689dc4cdd2

SHA512
e53acf845507bef7ebf8a656a43b111934d2b3b237a2aab22ad54c0abddc4cb6230a9be0ad5bd521df293c7f682eea52778fda9562e5a0d382cfa4bcc9fd5609

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat

Filesize
189B

MD5
73ca7d3188de11359edd00c08211c78a

SHA1
c9ad3d5be6d515d3a492e649d96f53380db32880

SHA256
db1b30ae1b468c0a12d88aa7528510f93906ca875a2a5cfc9b288bc545d4f155

SHA512
06f7d1fefcc249a23471b810099fee5289adbe8f3f34c0fcf2cc4b4a15456058008fb243227ed32a27d732fe7311d5a233572bd92d75e8862da92c8f46e5febc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat

Filesize
189B

MD5
38562fda7fb7d85466821227148a494a

SHA1
3708ac7fe186815ecd9b386d8f11a799f6dfa98e

SHA256
7604958624909fc572f599bf96ecd20baec504244b0360430f20f0d3d1a3005b

SHA512
deca59bc8d7040ac2413d70786a647192f7c0205eebe3ae03be02c732300f784044e0708712a7b47399fd3427eac3cd108a36d132e71e06cff1d16a09a2b67b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEB3E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat

Filesize
189B

MD5
669f6dc5a775384d87650888fb6261d6

SHA1
cfe23a4c29eaeb18e3789feab142f2d2fe691dc4

SHA256
61161b267af5f3a50c967cfde9a56f070ba8c8eadca409900f5af6394c2d9877

SHA512
daf945bc3d3fe74048550020a150d5b1e84771e843633fb261521de5d2e0245f563e393b7823f5af868b7c10889f5867431e82ecb55f030430864bde3b44e471

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat

Filesize
189B

MD5
0fd997bf6ccdb02101192f766b2d7078

SHA1
0d09755a891e4f81f19d509bf03bcb7e1d9281e8

SHA256
2fdccaa7c867006a337848245cdc1abd171cd2ecffe1ebbe0af12aae35e3a940

SHA512
be917ab95b6e93924008cafdd3bc3a0a4ee20ee9d8bc215733a8db2fffbd5c46d2255b5201e562e56cb188b08bddefd6188c435ebc101d82f7e3115710d51a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat

Filesize
189B

MD5
d6a6e4798d904121afcd26beed2e7f5d

SHA1
d9da4d73fba003d59e5cddb3aacae33184f46f4f

SHA256
174167ffa472fe1c31a113e8eb10066dde000d6712c5ce6ecf798f085ca4d216

SHA512
c807b3a358b1324d848c2e0f0028a1be51229f467487bb8d3c26cfa8c51dcc028ea8606dee5a8e5eed0acabb4b94e4181457489f6d81880ffc4828b333153077

Download Submit
C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat

Filesize
189B

MD5
871551763e53d09688c9a258deb2b6c6

SHA1
58f53dc514b92c104ded4441dd392512ed623a8f

SHA256
808ee132ce88e96f094da5ae3e59c3a4bb5d329ae1ea063cf9a551aaaf09a5ce

SHA512
de3102de28e12bac666616dc21fb0bbf2ea131bf4d560a81c9d1bd4787b60ab6bd56a558ad30713700208b62ee13c63d290eca68585796951b4ce34e2222824e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat

Filesize
189B

MD5
931de1fa5ded2da07b363ffb390d6e78

SHA1
de0a1c2fc405c34efa0babee1696ad1945b145e8

SHA256
648bb879f931cd9b9f99fdaf4568abb906a409e47399f80b4d014bd93f136115

SHA512
115d11eff908dd3733201398d4c751583336b436eb87663bf352a939153e83e79ca60eaee338ed991e6651e363e047bef43c863c01b1049615632d464534fcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat

Filesize
189B

MD5
aebdd14aad00733c8d7d1eac0fcdbe71

SHA1
006b62bb9b2230fd59d0ca71e6b2b4cf98c5dae2

SHA256
67dbdf3b857808edf26cdf53d94a85cfeba171211451588780940600c7dc92f7

SHA512
3ec22d7b4c065e42898d2759f3102d1ff78eae6a260876e42a81dfefe45781a9ef89ed11fa5a1dc13afc3e5cd0632cbc316df49a0386a67919a9d4c5459c4613

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat

Filesize
189B

MD5
010223607007c4620f08168e3032877d

SHA1
f7af2d7d5ae8bc4a961ce09e6ebed9ec9d03d80a

SHA256
b1d913322c5c626bc0343a5b2ce78b22899b4410b0ebf240f5626178705240d2

SHA512
5ad8333dac5a4bca52a4b57b6ab026d0d5860feba55eafa1a82550b1c70d8b05851af5565187b370d548f42bac31dc1a9025471f60ab8842afb0cdfa16547882

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
49083bd3656b6874324d17b23d5ee0e9

SHA1
5845fa397fab52d51414ae63ae6a59f78ca8c4b4

SHA256
bdeb65d0e78413e0d0267f1a14c64edf64a8f6de16c2bf51ff13c107e22bf52e

SHA512
b94937e129535db12bd01bd30d83052cdb2611b49577f12e6d96aa9a11517403ec2bae84b16017900aa79f94bacd02a6fae4fd1d8269b6e0f7c12cac0518045b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/880-73-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/1488-352-0x00000000009E0000-0x0000000000AF0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-173-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/1700-592-0x00000000012E0000-0x00000000013F0000-memory.dmp

Filesize
1.1MB

Download
memory/1812-292-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/2044-652-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2212-13-0x0000000001340000-0x0000000001450000-memory.dmp

Filesize
1.1MB

Download
memory/2212-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2212-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2212-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2212-15-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2220-53-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

Filesize
1.1MB

Download
memory/2484-74-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/2680-412-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download
memory/2816-473-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2816-472-0x00000000011C0000-0x00000000012D0000-memory.dmp

Filesize
1.1MB

Download