dcrat | 9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe
Size

1.3MB
MD5

554da9e9950ed9a42772fd70e291a0ba
SHA1

099eaddabec2e6de93d8421363472234ddca8d9e
SHA256

9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403
SHA512

d237de309486d1c259177f057db7395da2a733d2b146b2485e1199d77298aeeec3805b0ae89ef9f1a1f018b522fe9a15f51299c71718ad0e9e21e7150974aafb
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	1496	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001612f-10.dat	dcrat
behavioral1/memory/2872-13-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
behavioral1/memory/2108-117-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/memory/2944-177-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/2276-356-0x0000000000300000-0x0000000000410000-memory.dmp	dcrat
behavioral1/memory/2372-416-0x00000000009D0000-0x0000000000AE0000-memory.dmp	dcrat
behavioral1/memory/496-476-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/2936-536-0x0000000000D60000-0x0000000000E70000-memory.dmp	dcrat
behavioral1/memory/1440-596-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2304	powershell.exe
2152	powershell.exe
2456	powershell.exe
1316	powershell.exe
2364	powershell.exe
2268	powershell.exe
1752	powershell.exe
1540	powershell.exe
2516	powershell.exe
3068	powershell.exe
2460	powershell.exe
1296	powershell.exe
2276	powershell.exe
2404	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2872	DllCommonsvc.exe
2280	lsm.exe
2108	lsm.exe
2944	lsm.exe
1100	lsm.exe
2324	lsm.exe
2276	lsm.exe
2372	lsm.exe
496	lsm.exe
2936	lsm.exe
1440	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2812	cmd.exe
2812	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
30	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\System.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\ja-JP\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\ja-JP\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\1610b97d3ab4a7	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\smss.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1332	schtasks.exe
1908	schtasks.exe
1160	schtasks.exe
2208	schtasks.exe
1748	schtasks.exe
1112	schtasks.exe
1724	schtasks.exe
3044	schtasks.exe
2888	schtasks.exe
1688	schtasks.exe
2184	schtasks.exe
852	schtasks.exe
2428	schtasks.exe
1680	schtasks.exe
1036	schtasks.exe
2352	schtasks.exe
2396	schtasks.exe
2128	schtasks.exe
2900	schtasks.exe
2916	schtasks.exe
2740	schtasks.exe
812	schtasks.exe
448	schtasks.exe
592	schtasks.exe
332	schtasks.exe
924	schtasks.exe
1764	schtasks.exe
1704	schtasks.exe
3028	schtasks.exe
960	schtasks.exe
600	schtasks.exe
2188	schtasks.exe
1284	schtasks.exe
1740	schtasks.exe
3008	schtasks.exe
1728	schtasks.exe
1304	schtasks.exe
2240	schtasks.exe
2940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2872	DllCommonsvc.exe
1540	powershell.exe
2456	powershell.exe
2404	powershell.exe
2152	powershell.exe
1316	powershell.exe
2268	powershell.exe
2364	powershell.exe
1296	powershell.exe
3068	powershell.exe
2460	powershell.exe
1752	powershell.exe
2276	powershell.exe
2304	powershell.exe
2516	powershell.exe
2108	lsm.exe
2944	lsm.exe
1100	lsm.exe
2324	lsm.exe
2276	lsm.exe
2372	lsm.exe
496	lsm.exe
2936	lsm.exe
1440	lsm.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	DllCommonsvc.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2108	lsm.exe
Token: SeDebugPrivilege	2944	lsm.exe
Token: SeDebugPrivilege	1100	lsm.exe
Token: SeDebugPrivilege	2324	lsm.exe
Token: SeDebugPrivilege	2276	lsm.exe
Token: SeDebugPrivilege	2372	lsm.exe
Token: SeDebugPrivilege	496	lsm.exe
Token: SeDebugPrivilege	2936	lsm.exe
Token: SeDebugPrivilege	1440	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2808	2260	JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe	30
PID 2260 wrote to memory of 2808	2260	JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe	30
PID 2260 wrote to memory of 2808	2260	JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe	30
PID 2260 wrote to memory of 2808	2260	JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe	30
PID 2808 wrote to memory of 2812	2808	WScript.exe	31
PID 2808 wrote to memory of 2812	2808	WScript.exe	31
PID 2808 wrote to memory of 2812	2808	WScript.exe	31
PID 2808 wrote to memory of 2812	2808	WScript.exe	31
PID 2812 wrote to memory of 2872	2812	cmd.exe	33
PID 2812 wrote to memory of 2872	2812	cmd.exe	33
PID 2812 wrote to memory of 2872	2812	cmd.exe	33
PID 2812 wrote to memory of 2872	2812	cmd.exe	33
PID 2872 wrote to memory of 2460	2872	DllCommonsvc.exe	74
PID 2872 wrote to memory of 2460	2872	DllCommonsvc.exe	74
PID 2872 wrote to memory of 2460	2872	DllCommonsvc.exe	74
PID 2872 wrote to memory of 2404	2872	DllCommonsvc.exe	75
PID 2872 wrote to memory of 2404	2872	DllCommonsvc.exe	75
PID 2872 wrote to memory of 2404	2872	DllCommonsvc.exe	75
PID 2872 wrote to memory of 2304	2872	DllCommonsvc.exe	76
PID 2872 wrote to memory of 2304	2872	DllCommonsvc.exe	76
PID 2872 wrote to memory of 2304	2872	DllCommonsvc.exe	76
PID 2872 wrote to memory of 1296	2872	DllCommonsvc.exe	77
PID 2872 wrote to memory of 1296	2872	DllCommonsvc.exe	77
PID 2872 wrote to memory of 1296	2872	DllCommonsvc.exe	77
PID 2872 wrote to memory of 2516	2872	DllCommonsvc.exe	78
PID 2872 wrote to memory of 2516	2872	DllCommonsvc.exe	78
PID 2872 wrote to memory of 2516	2872	DllCommonsvc.exe	78
PID 2872 wrote to memory of 1316	2872	DllCommonsvc.exe	79
PID 2872 wrote to memory of 1316	2872	DllCommonsvc.exe	79
PID 2872 wrote to memory of 1316	2872	DllCommonsvc.exe	79
PID 2872 wrote to memory of 2276	2872	DllCommonsvc.exe	80
PID 2872 wrote to memory of 2276	2872	DllCommonsvc.exe	80
PID 2872 wrote to memory of 2276	2872	DllCommonsvc.exe	80
PID 2872 wrote to memory of 3068	2872	DllCommonsvc.exe	81
PID 2872 wrote to memory of 3068	2872	DllCommonsvc.exe	81
PID 2872 wrote to memory of 3068	2872	DllCommonsvc.exe	81
PID 2872 wrote to memory of 2152	2872	DllCommonsvc.exe	82
PID 2872 wrote to memory of 2152	2872	DllCommonsvc.exe	82
PID 2872 wrote to memory of 2152	2872	DllCommonsvc.exe	82
PID 2872 wrote to memory of 2364	2872	DllCommonsvc.exe	84
PID 2872 wrote to memory of 2364	2872	DllCommonsvc.exe	84
PID 2872 wrote to memory of 2364	2872	DllCommonsvc.exe	84
PID 2872 wrote to memory of 2456	2872	DllCommonsvc.exe	85
PID 2872 wrote to memory of 2456	2872	DllCommonsvc.exe	85
PID 2872 wrote to memory of 2456	2872	DllCommonsvc.exe	85
PID 2872 wrote to memory of 1752	2872	DllCommonsvc.exe	86
PID 2872 wrote to memory of 1752	2872	DllCommonsvc.exe	86
PID 2872 wrote to memory of 1752	2872	DllCommonsvc.exe	86
PID 2872 wrote to memory of 1540	2872	DllCommonsvc.exe	87
PID 2872 wrote to memory of 1540	2872	DllCommonsvc.exe	87
PID 2872 wrote to memory of 1540	2872	DllCommonsvc.exe	87
PID 2872 wrote to memory of 2268	2872	DllCommonsvc.exe	88
PID 2872 wrote to memory of 2268	2872	DllCommonsvc.exe	88
PID 2872 wrote to memory of 2268	2872	DllCommonsvc.exe	88
PID 2872 wrote to memory of 1592	2872	DllCommonsvc.exe	102
PID 2872 wrote to memory of 1592	2872	DllCommonsvc.exe	102
PID 2872 wrote to memory of 1592	2872	DllCommonsvc.exe	102
PID 1592 wrote to memory of 564	1592	cmd.exe	104
PID 1592 wrote to memory of 564	1592	cmd.exe	104
PID 1592 wrote to memory of 564	1592	cmd.exe	104
PID 1592 wrote to memory of 2280	1592	cmd.exe	105
PID 1592 wrote to memory of 2280	1592	cmd.exe	105
PID 1592 wrote to memory of 2280	1592	cmd.exe	105
PID 1260 wrote to memory of 2860	1260	cmd.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f7cbc543784b4438d21a8e2207210548109e713a8dc4838c27d2ccf73a2b403.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\es-ES\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\ja-JP\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7jg5kmbdl1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1592
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:564
      - C:\Program Files\Windows Journal\ja-JP\lsm.exe
        
        "C:\Program Files\Windows Journal\ja-JP\lsm.exe"
        6⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2860
        
        C:\Program Files\Windows Journal\ja-JP\lsm.exe
        
        "C:\Program Files\Windows Journal\ja-JP\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"
        9⤵
        
        PID:2528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:292
        
        C:\Program Files\Windows Journal\ja-JP\lsm.exe
        
        "C:\Program Files\Windows Journal\ja-JP\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat"
        11⤵
        
        PID:1844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2804
        
        C:\Program Files\Windows Journal\ja-JP\lsm.exe
        
        "C:\Program Files\Windows Journal\ja-JP\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
        13⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2800
        
        C:\Program Files\Windows Journal\ja-JP\lsm.exe
        
        "C:\Program Files\Windows Journal\ja-JP\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"
        15⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1700
        
        C:\Program Files\Windows Journal\ja-JP\lsm.exe
        
        "C:\Program Files\Windows Journal\ja-JP\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"
        17⤵
        
        PID:2808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2732
        
        C:\Program Files\Windows Journal\ja-JP\lsm.exe
        
        "C:\Program Files\Windows Journal\ja-JP\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"
        19⤵
        
        PID:2456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1100
        
        C:\Program Files\Windows Journal\ja-JP\lsm.exe
        
        "C:\Program Files\Windows Journal\ja-JP\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"
        21⤵
        
        PID:808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:792
        
        C:\Program Files\Windows Journal\ja-JP\lsm.exe
        
        "C:\Program Files\Windows Journal\ja-JP\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"
        23⤵
        
        PID:2904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2364
        
        C:\Program Files\Windows Journal\ja-JP\lsm.exe
        
        "C:\Program Files\Windows Journal\ja-JP\lsm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat"
        25⤵
        
        PID:904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Microsoft Shared\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Tasks\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8c2dc444befe3495afc0df8ae8e264c

SHA1
aaedfbf5814bab13158031de68ec24e92cc6f96e

SHA256
2962eeb50ae9a660be5be9f56731180ceb5737efa92aae53599b18c1595191a2

SHA512
5e20b0fff7ae748fa2a1399092c0c58748ede6c17853b1c0ee91d837cf62effe555d833bc884378480930b30b4a890d9a3bde33fb587388e64b30aacf1f2d7d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9993ec77a1ceef104e0d6cdf0541df07

SHA1
9207dc440249853ffb1483df129a2a500670bde2

SHA256
42a14d7a3bd01420db2f5bf4e82428140c45fc367cba2d491f22be6b4afe03d9

SHA512
d6f86cc8532107f9454491d85fb1d0494a10d0cbbee57c35bf208aaf1b52c9c11b183b72e87937de3b651f6db7098a983eae59ff66b4f3a8a9107cbb5fbc9f47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6f81c12c0bd4c34ef161ff0065dad38

SHA1
d37ec36a6f01f7c9eb728bc20b7f3e1003db8ad4

SHA256
24a2d8ec838526725d3626dbda2c78525f347d22631681dc30f91ad8caa9f909

SHA512
20145d9f8da38f01cf1bf6c54df938f4799d9912ffbe5c4c31ee3e2c497f7670bbfb8af75654db6de242b410aa09cb91cf5f2df1764c8635035b061a902c4c04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66e83e057c8654c0c4b7cf9ef534e848

SHA1
307d761f1c19e35c64f2db9704f6c2ebafa721c9

SHA256
fd87c26a1d91c82abcee75f46e84f41772f2e345b1170564c2710098b9020789

SHA512
c4464daea9b9ba03744c0e1d9f3d693a4db5a3cd990baa17ea4da30c56f00b3a14c772db8b049615219afa685bf100d88ace3ea96fe36ad426f4ba92ab6e14a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64c3a8f990142a42126d8470354506fa

SHA1
6f5035d8811784c1f8f01a89b62a3a4a017219fa

SHA256
804b1ab58d9adeff447328d4b968e10be9e828d0dad829926fe5bf3fc4b53f5d

SHA512
2b7b056316e47828a89033c20218055b060ef7f7f93f02d822d1e3acb7d17778d56db2e3ce8787fb6a83fad8e9a130a027cdc9baf78ad26070ebf28acef5a5f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91e5ca91136e7e3a1a11a54624f9928d

SHA1
c3afb7eac9b1e23ba6988e71b58d69dce3a1a7cc

SHA256
14aa851a1ca89005ddb6c8b01de99850aa0ac584e4a612c95ed8f79559339282

SHA512
82d8a0f287615b86c507f324bc3d3cb6a3aa666ef5f969e867b45ceb173c71b780506b2255d6324293b43a670e50ab9619917639287fc9eec8db39970763e039

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5ee6448812fff51f885bf261f73f04a

SHA1
d28ad36a13991369d9b7b0c8698cbfba1751a021

SHA256
32317e4667853dc0da77bf7188d6564823a2d1a41b01cbd4c098917d9e5ee819

SHA512
17d021f6d1872dfdff1e0d84342b9484fd7294d674e4d7e4f95c12a4778f91c3a21129b5b8946f68028d28c6366d191fd54d3584c6b28571e872ab8c414bbe41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b3511757ecb465306fa169fc2415aad

SHA1
fcbfe2c60ee1b4b613474f3adc6b1d17299296b8

SHA256
ee5af87fe0e5307e840dbe432526075c80c469f978bb2ac2b0db8b9e63e52a93

SHA512
abe9720ebe9c489b018cce82952c704853afa48f20abe3fdd1e657fccce03347e77554020780f5918ce9bd2763878a14fd3d893ac6194cfd4f87a2934c86d658

Download Submit
C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat

Filesize
211B

MD5
fe0733ff767968065d1e2da2a57bc729

SHA1
b1cd36758a68e1286d6907b4b3cbdbc9e3216550

SHA256
35b344bd926d3361684d958ca77fde38ba67919653024fb379a2984964f9aebf

SHA512
c46c87e8ce4b276923de580e9a7246d490ca4f1abfcd635f69835e23495011d45004bc4c823ad8f54f09fa9148e55d638ea7672ab847fab0d098d8d7e431686f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7jg5kmbdl1.bat

Filesize
211B

MD5
bd0668f54c4a17a244737af804325b57

SHA1
5aee04b12109fac006e86eb8fd0d12486e57a61d

SHA256
e141d88217249cc45614c3f6c18a97990c0894c935859ba20ee60f4478b20157

SHA512
0eeaa127b44ea14a930fea547b55c07ad5ce01a8362fb43d83f173ed3db08772bea0677ec75cfb76d0ef4013c4d1c7cbe6ebbac43c89430bd572d3daad1c17bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat

Filesize
211B

MD5
570c335dcfaaa8f49fadf739e73a27eb

SHA1
59856fe781b907b60ff179feea111e6dd66180f0

SHA256
88422c9c054f3a28f63ccec72a1c8570732d0a16d95a8087d430c24aaaa48ab2

SHA512
8ca2c75a4512713136facc15a3d895eeedbafcdb08d58bccc46e5c46f3b40a7563d44e6064a4243ac9cdfe95901728aca85a48eb631f8112e2304949075ab841

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab786D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat

Filesize
211B

MD5
486fc060be67dc2658599618fce5f629

SHA1
a88ceff92935c8b0ef475dba9f796dd3cd37e5bc

SHA256
e5c5c249b34efb9291fcbf30c55aebe5957c3d5eb5f9889ef2b00ef5a916f095

SHA512
13c3c072da101f9aa64d13e4dbff89309221aedfaad785eb56f3f77f40cb610672183da96bee95939d1a33afd6ea0f9b14f77a1d22269086d96246c0ba27fe26

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat

Filesize
211B

MD5
a5837a3940c415bb39019bb4d65c2af8

SHA1
9dff3d5d9afea5912ce7beca6614ba4a59e7c716

SHA256
d96e7814ed60bde4bcf2b49e310d42febe827d55237bb687d0424c0322dadd53

SHA512
3efc304d0c87bc1833d5fc37bfd108a3bc81a50dc907cc3a4becfa8c131f7c0e0291594d75511fff9e317abb4a55c3d578d234f09d30566ed4835eba7c4ac284

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat

Filesize
211B

MD5
4975425a5298d107064a941d47e442af

SHA1
ca20a017cd47267f1f07d4e8ca105260cc6ffa24

SHA256
4bd26302a23de1a238cec497b647a718714e223763fdf1891ba0da9ff1ea4d33

SHA512
6876f3b267d37a3f728a76502a2468d81ef2531d85b50d6eaa18eef84f33245d060439121826a88ad71133dfef0d7b0ebf7a8b54e805b2d11843c6c74102a4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar787F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat

Filesize
211B

MD5
f57c98fdb096aedf65426e03d9eb4fd9

SHA1
628ecfa8cfa7178fd8ff35f2f7a81ba111dc939a

SHA256
ddd0363dc88fe1750ef3e14e0c3b91b7fb6eace99df3ee07e5f61636e1898d8c

SHA512
a71f10e6f5bf813489819eef49d83a9cc2b24dc874bb4f5e2c0502b32bd5083c192782de3b7a13a5f53b9af89a7df35c6be1e026b6f445b56f8fe469d055d3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat

Filesize
211B

MD5
252ab3c74f9a93a7c51acd0dc4418ede

SHA1
907b5a7b277db22abeee419a6ce48219bf383aaf

SHA256
2ad64405c9393ab603dab0ff5c24ef55360f65d7f0e5288b5fda6d629d05d0ba

SHA512
930504591eb62858611e5d5553aa1739d7bceacd2de7148a3000e1b1038f7575a6ddf11266fdd7db5201f248e51aaefe711d602951d56a0e28f9f64224010ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat

Filesize
211B

MD5
2c27e64c1b5b71e8a6674ec9443befce

SHA1
44dd38ac0fea4ebe6bfe800ef3170f1eb41c5590

SHA256
13dbbd7c1e6bfe9a6f50fc41a570b11699c5ba187242b77294f480d0fd92dae1

SHA512
6af3f5fd1fdbb6bcb639459957f9caedb8e04dfb95e047c6b506bfb97b2fad01d4b8533b48768223c4162e322497770e3d54e7701f10294145099a90257367cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

Filesize
211B

MD5
5c066e3f5289056e173ded3d6f156386

SHA1
dc3275ba87971dd616c15f0ba4d1f33253fb5285

SHA256
89165d8c220a4e0155198e34e2a15bccc879dec7fc2915e8b4aeafce0614d423

SHA512
aa69b18a1bc95b9e5a626bb5ccd709feadb5a04abbaae42f2c89d5c734e1c628541868ec60ce6e0bc23199f95654e67cdd8f9d2625278e86c560ac351562f1a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
01f9a5c03eb85518d068c91ec09ced57

SHA1
5a4928f54889abd583070aec3268f44095c6ecf6

SHA256
cfcb5859c4648b1d7ff913e408122ee4b26a9b6e1e806da9489af7a91397cceb

SHA512
781253e7e803b685b2a59a5705698f8c534f3227aef484db342eca9f185e370cc13d8ef9e7a300c952b52a2c5c8650654d489b94309b131a4a5ffbf1e9c6317f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/496-476-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/1440-596-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/1540-61-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/1540-87-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/2108-118-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2108-117-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/2276-356-0x0000000000300000-0x0000000000410000-memory.dmp

Filesize
1.1MB

Download
memory/2372-416-0x00000000009D0000-0x0000000000AE0000-memory.dmp

Filesize
1.1MB

Download
memory/2872-16-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/2872-13-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/2872-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2872-15-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download
memory/2872-17-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/2936-536-0x0000000000D60000-0x0000000000E70000-memory.dmp

Filesize
1.1MB

Download
memory/2944-178-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2944-177-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download