dcrat | b715a2c3a5eee1e1a024b28d810713cb3af4e691954033b2be457a83633e553f

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b715a2c3a5eee1e1a024b28d810713cb3af4e691954033b2be457a83633e553f.exe
Size

1.3MB
MD5

621e4711b936dc3ec273fea4e52e32f7
SHA1

a7669b36f0766099da71425b3a9ee91704d649a5
SHA256

b715a2c3a5eee1e1a024b28d810713cb3af4e691954033b2be457a83633e553f
SHA512

8cf55bc079905b540ca50bc8a76c4f7b8cc503b51385f5d2565c32be08d995459a973f1657922541c51ee4447760061d654cde6d3aa6c092fe8482aa2bfb28ee
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2104	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2104	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d3a-9.dat	dcrat
behavioral1/memory/2272-13-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/2996-108-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/memory/616-167-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/2028-227-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/1880-287-0x0000000000830000-0x0000000000940000-memory.dmp	dcrat
behavioral1/memory/2384-347-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat
behavioral1/memory/2900-585-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/2792-645-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/2664-705-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1424	powershell.exe
848	powershell.exe
1200	powershell.exe
1352	powershell.exe
1204	powershell.exe
1748	powershell.exe
2024	powershell.exe
1772	powershell.exe
1532	powershell.exe
1880	powershell.exe
852	powershell.exe
912	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2272	DllCommonsvc.exe
2996	winlogon.exe
616	winlogon.exe
2028	winlogon.exe
1880	winlogon.exe
2384	winlogon.exe
464	winlogon.exe
1592	winlogon.exe
3044	winlogon.exe
2900	winlogon.exe
2792	winlogon.exe
2664	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2864	cmd.exe
2864	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Microsoft\Protect\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\System32\Microsoft\Protect\6cb0b6c459d5d3	DllCommonsvc.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\ja-JP\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\WMIADAP.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\101b941d020240	DllCommonsvc.exe
File created	C:\Windows\ja-JP\lsm.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b715a2c3a5eee1e1a024b28d810713cb3af4e691954033b2be457a83633e553f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1672	schtasks.exe
2568	schtasks.exe
2532	schtasks.exe
2652	schtasks.exe
1560	schtasks.exe
2716	schtasks.exe
2084	schtasks.exe
992	schtasks.exe
304	schtasks.exe
1864	schtasks.exe
1604	schtasks.exe
1988	schtasks.exe
808	schtasks.exe
1936	schtasks.exe
2760	schtasks.exe
1020	schtasks.exe
2160	schtasks.exe
1084	schtasks.exe
948	schtasks.exe
2584	schtasks.exe
1948	schtasks.exe
1716	schtasks.exe
1624	schtasks.exe
2700	schtasks.exe
2036	schtasks.exe
1872	schtasks.exe
2164	schtasks.exe
2900	schtasks.exe
2312	schtasks.exe
2560	schtasks.exe
3024	schtasks.exe
2888	schtasks.exe
2232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
1352	powershell.exe
1532	powershell.exe
852	powershell.exe
1748	powershell.exe
1880	powershell.exe
912	powershell.exe
1200	powershell.exe
1424	powershell.exe
2024	powershell.exe
1772	powershell.exe
1204	powershell.exe
848	powershell.exe
2996	winlogon.exe
616	winlogon.exe
2028	winlogon.exe
1880	winlogon.exe
2384	winlogon.exe
464	winlogon.exe
1592	winlogon.exe
3044	winlogon.exe
2900	winlogon.exe
2792	winlogon.exe
2664	winlogon.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	DllCommonsvc.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	2996	winlogon.exe
Token: SeDebugPrivilege	616	winlogon.exe
Token: SeDebugPrivilege	2028	winlogon.exe
Token: SeDebugPrivilege	1880	winlogon.exe
Token: SeDebugPrivilege	2384	winlogon.exe
Token: SeDebugPrivilege	464	winlogon.exe
Token: SeDebugPrivilege	1592	winlogon.exe
Token: SeDebugPrivilege	3044	winlogon.exe
Token: SeDebugPrivilege	2900	winlogon.exe
Token: SeDebugPrivilege	2792	winlogon.exe
Token: SeDebugPrivilege	2664	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2472	2100	JaffaCakes118_b715a2c3a5eee1e1a024b28d810713cb3af4e691954033b2be457a83633e553f.exe	31
PID 2100 wrote to memory of 2472	2100	JaffaCakes118_b715a2c3a5eee1e1a024b28d810713cb3af4e691954033b2be457a83633e553f.exe	31
PID 2100 wrote to memory of 2472	2100	JaffaCakes118_b715a2c3a5eee1e1a024b28d810713cb3af4e691954033b2be457a83633e553f.exe	31
PID 2100 wrote to memory of 2472	2100	JaffaCakes118_b715a2c3a5eee1e1a024b28d810713cb3af4e691954033b2be457a83633e553f.exe	31
PID 2472 wrote to memory of 2864	2472	WScript.exe	32
PID 2472 wrote to memory of 2864	2472	WScript.exe	32
PID 2472 wrote to memory of 2864	2472	WScript.exe	32
PID 2472 wrote to memory of 2864	2472	WScript.exe	32
PID 2864 wrote to memory of 2272	2864	cmd.exe	34
PID 2864 wrote to memory of 2272	2864	cmd.exe	34
PID 2864 wrote to memory of 2272	2864	cmd.exe	34
PID 2864 wrote to memory of 2272	2864	cmd.exe	34
PID 2272 wrote to memory of 1352	2272	DllCommonsvc.exe	69
PID 2272 wrote to memory of 1352	2272	DllCommonsvc.exe	69
PID 2272 wrote to memory of 1352	2272	DllCommonsvc.exe	69
PID 2272 wrote to memory of 1204	2272	DllCommonsvc.exe	70
PID 2272 wrote to memory of 1204	2272	DllCommonsvc.exe	70
PID 2272 wrote to memory of 1204	2272	DllCommonsvc.exe	70
PID 2272 wrote to memory of 1748	2272	DllCommonsvc.exe	72
PID 2272 wrote to memory of 1748	2272	DllCommonsvc.exe	72
PID 2272 wrote to memory of 1748	2272	DllCommonsvc.exe	72
PID 2272 wrote to memory of 912	2272	DllCommonsvc.exe	73
PID 2272 wrote to memory of 912	2272	DllCommonsvc.exe	73
PID 2272 wrote to memory of 912	2272	DllCommonsvc.exe	73
PID 2272 wrote to memory of 852	2272	DllCommonsvc.exe	74
PID 2272 wrote to memory of 852	2272	DllCommonsvc.exe	74
PID 2272 wrote to memory of 852	2272	DllCommonsvc.exe	74
PID 2272 wrote to memory of 1200	2272	DllCommonsvc.exe	75
PID 2272 wrote to memory of 1200	2272	DllCommonsvc.exe	75
PID 2272 wrote to memory of 1200	2272	DllCommonsvc.exe	75
PID 2272 wrote to memory of 2024	2272	DllCommonsvc.exe	76
PID 2272 wrote to memory of 2024	2272	DllCommonsvc.exe	76
PID 2272 wrote to memory of 2024	2272	DllCommonsvc.exe	76
PID 2272 wrote to memory of 1880	2272	DllCommonsvc.exe	77
PID 2272 wrote to memory of 1880	2272	DllCommonsvc.exe	77
PID 2272 wrote to memory of 1880	2272	DllCommonsvc.exe	77
PID 2272 wrote to memory of 848	2272	DllCommonsvc.exe	78
PID 2272 wrote to memory of 848	2272	DllCommonsvc.exe	78
PID 2272 wrote to memory of 848	2272	DllCommonsvc.exe	78
PID 2272 wrote to memory of 1424	2272	DllCommonsvc.exe	79
PID 2272 wrote to memory of 1424	2272	DllCommonsvc.exe	79
PID 2272 wrote to memory of 1424	2272	DllCommonsvc.exe	79
PID 2272 wrote to memory of 1772	2272	DllCommonsvc.exe	80
PID 2272 wrote to memory of 1772	2272	DllCommonsvc.exe	80
PID 2272 wrote to memory of 1772	2272	DllCommonsvc.exe	80
PID 2272 wrote to memory of 1532	2272	DllCommonsvc.exe	81
PID 2272 wrote to memory of 1532	2272	DllCommonsvc.exe	81
PID 2272 wrote to memory of 1532	2272	DllCommonsvc.exe	81
PID 2272 wrote to memory of 3060	2272	DllCommonsvc.exe	93
PID 2272 wrote to memory of 3060	2272	DllCommonsvc.exe	93
PID 2272 wrote to memory of 3060	2272	DllCommonsvc.exe	93
PID 3060 wrote to memory of 2644	3060	cmd.exe	95
PID 3060 wrote to memory of 2644	3060	cmd.exe	95
PID 3060 wrote to memory of 2644	3060	cmd.exe	95
PID 3060 wrote to memory of 2996	3060	cmd.exe	96
PID 3060 wrote to memory of 2996	3060	cmd.exe	96
PID 3060 wrote to memory of 2996	3060	cmd.exe	96
PID 2996 wrote to memory of 2504	2996	winlogon.exe	97
PID 2996 wrote to memory of 2504	2996	winlogon.exe	97
PID 2996 wrote to memory of 2504	2996	winlogon.exe	97
PID 2504 wrote to memory of 3016	2504	cmd.exe	99
PID 2504 wrote to memory of 3016	2504	cmd.exe	99
PID 2504 wrote to memory of 3016	2504	cmd.exe	99
PID 2504 wrote to memory of 616	2504	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b715a2c3a5eee1e1a024b28d810713cb3af4e691954033b2be457a83633e553f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b715a2c3a5eee1e1a024b28d810713cb3af4e691954033b2be457a83633e553f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft\Protect\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k8HyygKA7f.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3060
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2644
      - C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X9PDuMdk3a.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3016
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat"
        9⤵
        
        PID:880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2608
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"
        11⤵
        
        PID:1432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3008
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat"
        13⤵
        
        PID:2704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1740
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"
        15⤵
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2136
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"
        17⤵
        
        PID:2508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:900
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"
        19⤵
        
        PID:884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2308
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
        21⤵
        
        PID:1280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1992
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat"
        23⤵
        
        PID:1020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1452
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat"
        25⤵
        
        PID:2768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2400
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\Microsoft\Protect\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\Microsoft\Protect\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\Microsoft\Protect\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e93e90584f8dcce523fa00134981b58

SHA1
387c57cc5b14abb1e9b14e1f4702716858f49165

SHA256
c9a2ea1ceaafa0a9b61e14d228dd8023b4d1348d9be8300f8e63b01cb6e1595d

SHA512
1e1c505a0e5cfcb35a4a33fc449f83e122d3fd475f291d96c7f11dc640704be0cea30e7bb255a06ca2948619cfad7a266567402fa391017b6420d3601e5ce016

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e4a8ee868f964e0c55f31ccdcc5e9b9

SHA1
648b0919abd6f3d0fa31e105067146c465bef0b0

SHA256
4ca38aaba31cbaddb7826f5a6c4f0f292a9bd12719952f892039ac523fe376b7

SHA512
5641787a92c824d0832618886d3460615349fbefd942ca4d646ea0fda2e7603e196c25c789f64bb337e849eee802854efb2c684c0307173999c74c7b599e4c96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cd1f0562d879f48f05ff32404cb49a9

SHA1
a7ba1bc6721e57067e37ed71174999a10e9a1414

SHA256
139f8a9e587f05f0d6644ff9d7aa01451c813ae455e915d30842b4478bd11868

SHA512
fc4f89b867442fb7e55dd84556852d12c900266b3e785679c7ece0fe79dbc92f0c2f567e19fee7ed972be3e23d43fc79c6025ecadd94bad4d43c8bf2bc803aea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c8a59a02768d7f829b34467cd5db2db

SHA1
1ecce3e07e50dc9bda327bc62dc5bb41cd343974

SHA256
2989a3d7b73582d6add45c04f59e6639e9d6300ccf4ce3878b42d6f1cf4f7315

SHA512
ff511f16d6a37463f415efdd294eeb2291168fe4a2c63544e808e22f1e0e3e297b1cce966c57acec8278fc394c31f79d31f5075225e28c55ec6c5b53c8bf7ba4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8c3cc9b374857cc4e3deea63b7c2737

SHA1
8148a5aa1fb1c765d02fc2dcaa754d17f9932df6

SHA256
f37df4dc42d33662727d99242e7b532c44c7bfac7540f7b6381251ba81e87306

SHA512
41e87028f884709612390d0ed897a19b066e2e2f76be35c491b807960900520d236aea58e0c1c6fef7a6526b0ae38eac196d003d2045f4b62e501e3fb721783b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73b2b972fa0f9227d4a71564e0130c69

SHA1
d00cb40ea9a8b56b3434d90394a029dedd2087cb

SHA256
aea5f1b9c46832f1df250e7b6c7c18fbfde996b413c0400e0b084b858e1762e8

SHA512
f981e37782617c737c7f698703beda099297ad3c0025ecb66e3610c62e58b6761df68f77c2a90d9f8403cddddb03b5441a5b44eccf207c1f822245d3f4d5ce70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07da43a482e0df8cba49afd9396cd417

SHA1
2e5036271ec77166aed16ae8e92e5bccfe3b11e8

SHA256
eb36bf460e95c7ac68964743a2053ed0831d22f4f83549fac06e736641770f66

SHA512
743ad521115d5f1345b571cecc08a7e8d8eead7dd9bd8816e3080971a4eba144f48a4b5f80951c0039caab030d425a729c0dd237ce6478635f8ac72bfa648877

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3addcfb3b08ea35c62fa2302491f626

SHA1
04792539de6186662309657de2fabb13b9e84dc7

SHA256
bc69c3e1045e98bf8e56e006c59ba979aa713231a66245aab8a19544c453a38d

SHA512
def64797ada8665426ddf0e60888db7fcb33d5b1ba1addc2439d07103b706c98e7b02be16ccd5ecc02b1197184f34722df2e3213d56118a90741edb9e313780f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a1953a719acfd6d1748d7de514a34c1

SHA1
2792a8f3f4253c3e41dafb05316c79c7a983efaf

SHA256
e1918cd1c9e1a6972f2e6ae713f5568616669e7d4b9e087c4d89ebd1697a8d2d

SHA512
0daadb5386ce9ad5b5d0259bc388cc2e735acbcfdfd47e8b22b9a2e3dc16039203f63f0689d41a319eee85602fe3c2ea15af8bd8157b88773e7509d43283e8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat

Filesize
195B

MD5
fae243c2c478438b377c361c3e23f554

SHA1
b60e6fecfd430c2d03b307e5d38ccd41efc1a668

SHA256
4fc5328d5d9ff74c42972497ab80ec5fe03067a0d0e603da221f41b1ec379606

SHA512
b3ec9e6d290e5519945caa642ecdba9a8312a115908cfdacd7e25c1e90d04bdd40e1c0cbc25da073c881810c364991b8322bafd3a3b491986e760edef35a386a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1B9E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat

Filesize
195B

MD5
24538e119b3bebacc75691f6473a1b54

SHA1
ee791b1a4602cbbd424a0860c95c3718fc905692

SHA256
91471f7dc97907beb2472a281a349d955cb5221b3a1b626ab2744dc999f790dc

SHA512
c63a7a9bd99bc859d19be391c4292525c042a82b462ac031db3cb8b5c8c3f5203657cf482c71edc22cc2215471cbe6a0b6fa09df6a60446ef07667846c395dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat

Filesize
195B

MD5
6083161ced530fcf07228f7ed84a45e2

SHA1
bedd9f09722277c5a3a2ea1afd72a2fe3272b935

SHA256
f882cfc397bcd8d8edd50dfd808323d25a8d7947b00fadbd6ef3673a72f55557

SHA512
5f3f24fc66c4a2cbe393733542e26c6df88a745327b2fe2afd4fa3e604340219a959802269ffc80be2d52ea933d9f0bbe7bd04955d7eac66bbd3cf37e203d3a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1BC0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

Filesize
195B

MD5
c61d9ea6df03927c7ca6d40470ca1268

SHA1
c6c8cf06ee3c59485957e9e80b10d19b5e6c18b7

SHA256
ae82733d3a1aa1be82f654019b505cc6efb4dec9961067d7bd7a05054dcbb824

SHA512
dc5ca71ac9aa73d0123edb79588e32ef0a171d5d646b36105dea192fa3082b5c0d52e11f0e7ffa75926dde796dfec2e495c0e34e747e8d2413652495f55267bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\X9PDuMdk3a.bat

Filesize
195B

MD5
a3047d17a020a5bed3d52328041cf221

SHA1
e3454f48343d125461873b115714b12bd959f323

SHA256
fe555b74f2d713123d5b724934514a002fc83c9fa1b0a868e63dd9a11ee5ae3c

SHA512
bde1b50c622625615475b476217bbe4a4e14e5c887c14d749ba158a90862535f768b8fd63ed1c47055256bcbc6d5de3d659f86b927362f604988300f890e7814

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat

Filesize
195B

MD5
f90fcefd3b6c4d91d42ef93d6483f31c

SHA1
e132f8b06c62d476dde64bb01ce38d41e134aeba

SHA256
cbca48d5da74d906ad5ccdf924c0f5bfc84aef85196cc146b52bcb77dd57080b

SHA512
e6ae7b8649579d2854e31df6a63721b0b03103af359a6714890741895ecdb800958f5f736f762783c4eb7f01e949ea579b9caaf458f257838ce4275c2876c805

Download Submit
C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat

Filesize
195B

MD5
5aafe0a0672b86643bc7df9f99864ef0

SHA1
ba819a2a2fc8beddae61e90ee665c639e1c9bf62

SHA256
f502d78446a0d68386e76c530b4303da76a7765c78af447e872520dec6ef5c6c

SHA512
f19742b4d126fc543b4802117b78d71bf0aa0ada6d9567d9094b9925f9346c42bacede9c71d49a4f4496f78593c8c6d283d1b2df69c3d37bdd4d962623be2769

Download Submit
C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat

Filesize
195B

MD5
d104e420b61e9fce17a1356bd02b63d2

SHA1
8c7d933c9d39fa96a2ba8d78b0d3f7e125eb1821

SHA256
f691a8b35a12805df3b78c45cb4f20833d061964df3de54874a1951bb7292fc3

SHA512
82db0a942f01d1a10dedf11d72efe5436038710816a7fbf4f8b3e784736fbb17ced8669f4396b4bcd3a8bedbb8672aaf1014e00975ef4ff4b3f3b38fda8c2b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\k8HyygKA7f.bat

Filesize
195B

MD5
20f0e0aee67efe0be95f853a240bb960

SHA1
2b15424c7eb419000805a6a9058cfc9ad1464625

SHA256
f8e00304810731bbe4450dc64d702750c4ecbeb3f3dea323a8d8f6ae91a0b8fe

SHA512
053754d255f32fab31ddc78fb4e38589aa08b30f44943650a881be01f1984bc00adddc902ddcba3dcadb4c4e6c93d14ca644d68f035f0955dacd6b513a314dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat

Filesize
195B

MD5
729cba48f861f0783a5b6310c9022965

SHA1
392b126654ec6d1d9ef295a40c7eec89c8a485a2

SHA256
7699cddb0219c1ccfa536851e63b3b8704c28a2081afcaa8252f3e59a725ce72

SHA512
9f8a8d5029a576ae1cbcde0eae6768c11a1b5b5daf89b3df3661ddf7db0671d4989822d6f905f3abeed6171e14c1a05a57fcc3885e19ab8c44d129df0b073379

Download Submit
C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat

Filesize
195B

MD5
184bc6cee6488682a1fc1a81051e8637

SHA1
01bd9b771f49346ec82ba48ee8171da4b30f20ae

SHA256
e9e40d794f96e357f41015c37dfaa4696cfc5a7687b56eea12e26cce5c3425c3

SHA512
6f9e281c0ce446fa005ccd1478a7efcec87339d18bcc7738b85d5e2bec65a764923155d5888befdb20e4ed3723a2515bb76cc320eedc0eb289a8649e3fd72c9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RYU1UNXE5JYJRV0U4COD.temp

Filesize
7KB

MD5
e09aa3c17a398fb43e0a8e05d254c9c6

SHA1
3a3cc9c97b2d52b6ccf46617fe7f006f46b639e9

SHA256
71d2c4c7b004934cd266a50299a92969971f2a01132c6e20e455bff50d00dacf

SHA512
6e748038f824fd3805fc673a05b4d08adf8f861374b354d84afe5672d7ad962a5714e5876c79d719c028ab5d6f6d3745b498dfec7e028250d45336c2dda1d81e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/616-167-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/1352-48-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/1352-50-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/1880-287-0x0000000000830000-0x0000000000940000-memory.dmp

Filesize
1.1MB

Download
memory/2028-227-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2272-16-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2272-14-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2272-13-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/2272-15-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2272-17-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2384-347-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download
memory/2664-705-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/2792-645-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/2900-585-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/2996-108-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/3044-525-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download