dcrat | c91f21622352ba61629030a62ae9fe55b26222eb4fdb8d300b8783c02b43a05b

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c91f21622352ba61629030a62ae9fe55b26222eb4fdb8d300b8783c02b43a05b.exe
Size

1.3MB
MD5

f0d4b365ddb351b02f761d2fa85ad09d
SHA1

c8b246f3cafdc536d2231639ac08b6bb2bd5513b
SHA256

c91f21622352ba61629030a62ae9fe55b26222eb4fdb8d300b8783c02b43a05b
SHA512

2b8510de4ae41ccc1498bd1e076dcdff36ab5996e25e07d32901e9b8dac78d63060fb681002a38da620d832af56f2c970d31ee4df60cf85e1ed640ec21705d06
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2412	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2412	schtasks.exe	32

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016b86-9.dat	dcrat
behavioral1/memory/1460-13-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/708-80-0x0000000000E60000-0x0000000000F70000-memory.dmp	dcrat
behavioral1/memory/2932-174-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/1648-531-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/2024-591-0x0000000000B90000-0x0000000000CA0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
804	powershell.exe
2776	powershell.exe
1516	powershell.exe
1884	powershell.exe
1168	powershell.exe
796	powershell.exe
1672	powershell.exe
2144	powershell.exe
2092	powershell.exe
640	powershell.exe
2060	powershell.exe
864	powershell.exe
1612	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1460	DllCommonsvc.exe
708	cmd.exe
2932	cmd.exe
2300	cmd.exe
1144	cmd.exe
1572	cmd.exe
2156	cmd.exe
1984	cmd.exe
1648	cmd.exe
2024	cmd.exe
1832	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2820	cmd.exe
2820	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
30	raw.githubusercontent.com
36	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\7a0fd90576e088	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\IME\imekr8\help\System.exe	DllCommonsvc.exe
File created	C:\Windows\IME\imekr8\help\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\Framework\1036\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\Framework\1036\6203df4a6bafc7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c91f21622352ba61629030a62ae9fe55b26222eb4fdb8d300b8783c02b43a05b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2640	schtasks.exe
1148	schtasks.exe
1616	schtasks.exe
1676	schtasks.exe
2672	schtasks.exe
3056	schtasks.exe
2104	schtasks.exe
2396	schtasks.exe
1124	schtasks.exe
2024	schtasks.exe
2536	schtasks.exe
1580	schtasks.exe
2860	schtasks.exe
576	schtasks.exe
2516	schtasks.exe
2740	schtasks.exe
2444	schtasks.exe
2028	schtasks.exe
2752	schtasks.exe
2716	schtasks.exe
2812	schtasks.exe
2524	schtasks.exe
1628	schtasks.exe
1436	schtasks.exe
1948	schtasks.exe
1576	schtasks.exe
2088	schtasks.exe
3052	schtasks.exe
2652	schtasks.exe
860	schtasks.exe
2668	schtasks.exe
2616	schtasks.exe
2724	schtasks.exe
2504	schtasks.exe
2564	schtasks.exe
2268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1460	DllCommonsvc.exe
2092	powershell.exe
796	powershell.exe
1884	powershell.exe
2776	powershell.exe
1672	powershell.exe
1612	powershell.exe
640	powershell.exe
1168	powershell.exe
2060	powershell.exe
804	powershell.exe
2144	powershell.exe
708	cmd.exe
1516	powershell.exe
864	powershell.exe
2932	cmd.exe
2300	cmd.exe
1144	cmd.exe
1572	cmd.exe
2156	cmd.exe
1984	cmd.exe
1648	cmd.exe
2024	cmd.exe
1832	cmd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	DllCommonsvc.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	708	cmd.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	2932	cmd.exe
Token: SeDebugPrivilege	2300	cmd.exe
Token: SeDebugPrivilege	1144	cmd.exe
Token: SeDebugPrivilege	1572	cmd.exe
Token: SeDebugPrivilege	2156	cmd.exe
Token: SeDebugPrivilege	1984	cmd.exe
Token: SeDebugPrivilege	1648	cmd.exe
Token: SeDebugPrivilege	2024	cmd.exe
Token: SeDebugPrivilege	1832	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 1984	2468	JaffaCakes118_c91f21622352ba61629030a62ae9fe55b26222eb4fdb8d300b8783c02b43a05b.exe	28
PID 2468 wrote to memory of 1984	2468	JaffaCakes118_c91f21622352ba61629030a62ae9fe55b26222eb4fdb8d300b8783c02b43a05b.exe	28
PID 2468 wrote to memory of 1984	2468	JaffaCakes118_c91f21622352ba61629030a62ae9fe55b26222eb4fdb8d300b8783c02b43a05b.exe	28
PID 2468 wrote to memory of 1984	2468	JaffaCakes118_c91f21622352ba61629030a62ae9fe55b26222eb4fdb8d300b8783c02b43a05b.exe	28
PID 1984 wrote to memory of 2820	1984	WScript.exe	29
PID 1984 wrote to memory of 2820	1984	WScript.exe	29
PID 1984 wrote to memory of 2820	1984	WScript.exe	29
PID 1984 wrote to memory of 2820	1984	WScript.exe	29
PID 2820 wrote to memory of 1460	2820	cmd.exe	31
PID 2820 wrote to memory of 1460	2820	cmd.exe	31
PID 2820 wrote to memory of 1460	2820	cmd.exe	31
PID 2820 wrote to memory of 1460	2820	cmd.exe	31
PID 1460 wrote to memory of 2144	1460	DllCommonsvc.exe	69
PID 1460 wrote to memory of 2144	1460	DllCommonsvc.exe	69
PID 1460 wrote to memory of 2144	1460	DllCommonsvc.exe	69
PID 1460 wrote to memory of 2092	1460	DllCommonsvc.exe	70
PID 1460 wrote to memory of 2092	1460	DllCommonsvc.exe	70
PID 1460 wrote to memory of 2092	1460	DllCommonsvc.exe	70
PID 1460 wrote to memory of 1672	1460	DllCommonsvc.exe	71
PID 1460 wrote to memory of 1672	1460	DllCommonsvc.exe	71
PID 1460 wrote to memory of 1672	1460	DllCommonsvc.exe	71
PID 1460 wrote to memory of 796	1460	DllCommonsvc.exe	72
PID 1460 wrote to memory of 796	1460	DllCommonsvc.exe	72
PID 1460 wrote to memory of 796	1460	DllCommonsvc.exe	72
PID 1460 wrote to memory of 804	1460	DllCommonsvc.exe	73
PID 1460 wrote to memory of 804	1460	DllCommonsvc.exe	73
PID 1460 wrote to memory of 804	1460	DllCommonsvc.exe	73
PID 1460 wrote to memory of 1168	1460	DllCommonsvc.exe	75
PID 1460 wrote to memory of 1168	1460	DllCommonsvc.exe	75
PID 1460 wrote to memory of 1168	1460	DllCommonsvc.exe	75
PID 1460 wrote to memory of 1612	1460	DllCommonsvc.exe	77
PID 1460 wrote to memory of 1612	1460	DllCommonsvc.exe	77
PID 1460 wrote to memory of 1612	1460	DllCommonsvc.exe	77
PID 1460 wrote to memory of 1884	1460	DllCommonsvc.exe	78
PID 1460 wrote to memory of 1884	1460	DllCommonsvc.exe	78
PID 1460 wrote to memory of 1884	1460	DllCommonsvc.exe	78
PID 1460 wrote to memory of 2776	1460	DllCommonsvc.exe	79
PID 1460 wrote to memory of 2776	1460	DllCommonsvc.exe	79
PID 1460 wrote to memory of 2776	1460	DllCommonsvc.exe	79
PID 1460 wrote to memory of 640	1460	DllCommonsvc.exe	80
PID 1460 wrote to memory of 640	1460	DllCommonsvc.exe	80
PID 1460 wrote to memory of 640	1460	DllCommonsvc.exe	80
PID 1460 wrote to memory of 864	1460	DllCommonsvc.exe	81
PID 1460 wrote to memory of 864	1460	DllCommonsvc.exe	81
PID 1460 wrote to memory of 864	1460	DllCommonsvc.exe	81
PID 1460 wrote to memory of 2060	1460	DllCommonsvc.exe	83
PID 1460 wrote to memory of 2060	1460	DllCommonsvc.exe	83
PID 1460 wrote to memory of 2060	1460	DllCommonsvc.exe	83
PID 1460 wrote to memory of 1516	1460	DllCommonsvc.exe	85
PID 1460 wrote to memory of 1516	1460	DllCommonsvc.exe	85
PID 1460 wrote to memory of 1516	1460	DllCommonsvc.exe	85
PID 1460 wrote to memory of 708	1460	DllCommonsvc.exe	95
PID 1460 wrote to memory of 708	1460	DllCommonsvc.exe	95
PID 1460 wrote to memory of 708	1460	DllCommonsvc.exe	95
PID 708 wrote to memory of 484	708	cmd.exe	98
PID 708 wrote to memory of 484	708	cmd.exe	98
PID 708 wrote to memory of 484	708	cmd.exe	98
PID 484 wrote to memory of 2860	484	cmd.exe	100
PID 484 wrote to memory of 2860	484	cmd.exe	100
PID 484 wrote to memory of 2860	484	cmd.exe	100
PID 484 wrote to memory of 2932	484	cmd.exe	101
PID 484 wrote to memory of 2932	484	cmd.exe	101
PID 484 wrote to memory of 2932	484	cmd.exe	101
PID 2932 wrote to memory of 2184	2932	cmd.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91f21622352ba61629030a62ae9fe55b26222eb4fdb8d300b8783c02b43a05b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c91f21622352ba61629030a62ae9fe55b26222eb4fdb8d300b8783c02b43a05b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\1036\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\ja-JP\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\imekr8\help\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:708
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2860
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"
        8⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1760
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat"
        10⤵
        
        PID:1384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2716
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"
        12⤵
        
        PID:2948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2760
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat"
        14⤵
        
        PID:2812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1684
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"
        16⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2896
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SvvYNrLnHE.bat"
        18⤵
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2704
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat"
        20⤵
        
        PID:1828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2836
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
        22⤵
        
        PID:1388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2816
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HfroAScfQF.bat"
        24⤵
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\Framework\1036\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\1036\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\Framework\1036\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\imekr8\help\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\IME\imekr8\help\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\imekr8\help\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
247729b8ae6eb771262c77a6dd6ffb86

SHA1
e37c43e9af2feb6285a0bbc882e5c310570ee0fc

SHA256
bd6b07d249d8cf8e662cfa0fd1b67db02167c0c9c811a46b4fdf53e932967066

SHA512
f3362f356e4673b04e96204b7f66ef94a0eda4cf058e6fcb85c694f73ad1d266faccc10de0a1b970d4b2c8047de93f5dc6b35c3c7f877cda8e49700081fc6f78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d86adc855725e3ee75606dee29c7c4f

SHA1
3cb84535de16fa89ad9f1fbb1c80878c46316f41

SHA256
43dc04766dae4283aaf3ce9e954049c6472f65d57968f8e7b6bc2e605bb47c98

SHA512
9c4a0c6688463017a20a7fe1cb00edf7d935569ca80495026f6cafef874c9b7f4b82c1a23c28cc7fe3dd5dd78cc7e35e48a16ab9d4f5f749a329f09cd8995b6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf643aab22e0f55bb46073a5ecbaae44

SHA1
a340b840d4c141074b70df4ef7be5d8afec73e42

SHA256
7a7add00c6f0646c68081dd2e8a81036c47fdbb5294d1192ea736c8293b64c53

SHA512
b1d168f3fa7e5d0066b9d8526f319cf87b96e09339abcf663002c22ad302040c6405cffbe30f8cf6fea08500a42c9b0a86a4d841425e837a282aa708b170f511

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
335edd63f1edfce6e2491074e511a67a

SHA1
dd67292e4d0c864edd2a8b5e056f8476d54dc7f3

SHA256
5b7e4f745713676aa0adf6779fea737b8e5d4356284d1eddeb6e2705e1553dec

SHA512
cfaa6aaf6cb746c5a1c7f8bcdb8a8635e979c53fed34c4b800f776c3d1075d1604fa05c549af88e60ac1cf118caa251390f01c03a770f07167a2f26d521a6b19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f64a3e9bb7fea27170d1d9ee8555f94

SHA1
7133ec1f963094d3b296259332b8e07f011aa7d1

SHA256
b78e9bd3a4a6ec9ff868dd5ff1e52212edddeee1c60ce65adce265a9c8fe1287

SHA512
333d18ebc65ae30a2aa980f917b0aa89fb82b3a25efe015d8ad31e43de6c45fb8678003eb213ba5ee6a0d8724b98a8ceb1b433490cdc6667354d7e1c1842d41c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec94320b7c5988f1d75ac1233550438a

SHA1
94cd32b3054f17ec5c11d99497d7c9f6d2a179b2

SHA256
001339d2046601544af148fc6ef1fd7c9832d3e8e1e0b345683d854999f07706

SHA512
a2813de469b82f140b13a2573fb5de62d72289a2a125e5d9d755258e7d21981d345e656e27da07d1112b284639787fa3746da6832802123fd090af80eca01329

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42e6299c87e4a1f73d7d7ef698debc83

SHA1
087230fa25a1fbe7f63fb4c22afa56e52bb7b074

SHA256
7dc89b4190c44f30a0cb195400a6319f153430202d35a102ef8379e2de49df18

SHA512
a89c553e6c1e95fa04a8ed3f383b98d4bfba5db6d48ba38741fc7b42b5b6f0311056ea0858e9659e8469e3325ad6bf97b7463bd7d776cbaf0d0c3ed7ac203a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46d1ca6f3bbe55a5bb0cfdd156afcb5c

SHA1
43f1cea6a3e4e0938a37c1f3c0fd4d52dd8176ee

SHA256
3603dc3546c7d0ee1863b0303369aafcd7dabffed8b0d9951f0b9492dcc007ca

SHA512
1d288ceded4870093677f940cc5dfd163791f5defc86fa01be760d76fe241ca24e73ba5a0442d9121c859570dcba468fb85fa160579e4534d7775c13014349d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44fb8e7e243f48348b735f6f6441d442

SHA1
08059f1e74a9225e435bb6f00244a80b7470218f

SHA256
5f1a3a4ad8eadf7e9c4fca945fef7249d681d1cf64f67eb64166ae577f0164ba

SHA512
423c22dea8417249af233380cf75fc3e5a7da67fc7a6faa083837a86f41d69b7b24dcda604590e8f400fe7e30bbbe2cfee745e78c33a73eb5da99cbc71779e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat

Filesize
190B

MD5
ecc58ececb66a6d7a6d1b4181c78ce1f

SHA1
8881c3911a5f5fc773cb8ca954fb58fda69abc86

SHA256
ac54815571f0dfc2c4ca1e0596f925c35ccd6517890fb42b61779019fbcdc9a1

SHA512
fbbbb537686c8bfc39bbf6ef304a87ce7c77b9a2c60afea9c42a669747a10ab362f0148d39523b2a9955e7f69015d740a306f4a42a12d99735e3d14d0e47f345

Download Submit
C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat

Filesize
190B

MD5
f330cac6c30867e51b6eda93ddecc104

SHA1
2cb06948ccf81067ccd75960df5efef4d425acc3

SHA256
e3529694df71e461985cc50addee8779a1fe8b6586546885d6ff30ad1112ed88

SHA512
d87f99c0b5bb938db422b990ca5d4bb82cdeae890049dd65e38a73bb59c36485b7fceb76db53386766a94496688e7c51caee27d99b39748139d86760fced10bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat

Filesize
190B

MD5
e5ea1d13846078b026371b95d7a064e9

SHA1
9d3f48783d39beeff21eca1d55d2e7ca69f4cc17

SHA256
6072bae14761390fedca973035c29837a2d66a71effa5d58121e23d768c69335

SHA512
4ac4f2bfd38b3078a4ecc057bd19e7fbeed396faa9f5723eabc0a04da529d1a11224affc3db45dd287fa3c2b571b37175a2a6fc35eeaef2ccf7ef17560417c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDF78.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat

Filesize
190B

MD5
9c2d23d3d6e30657c481311e2b75c596

SHA1
7835e42b27040c83d9d38f0f3ede6cf7284f4605

SHA256
32b2cc6e5f2b7a239824f9ab3c980dc41dcbca8c0e3b612319ab0b79178c641e

SHA512
0ce2419a83f7b250d82a3b809caf95149f08b71182b206b0f943940aad04cb191a8e375ef038ee6ad956e6cb352c9eea74d1f099beb062d95906e2662c4dbfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\HfroAScfQF.bat

Filesize
190B

MD5
0f0380e977e7c66b5acf07870fbac206

SHA1
f7a051177c1b8140bb9e584e8d5b7e9e26e6ca59

SHA256
2c07295d132d3d3663490d2c45fafe57954a45973a44077624399edab9dca4e5

SHA512
40c2081bd0d3856d530abd896e76a659bac94ef36779067fb7f4d03364f6664023fcc3a8f0bbace31fadeb62cb0f42f485ca24729891196a18b23aae4dbd512a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat

Filesize
190B

MD5
a1e4b496b2e170559914510aaf8b8aa5

SHA1
becd66bd72d5a2277d99a80a41aea3b8db217ee9

SHA256
7c9c884b18ee26407f1da24599fc329b2902539467177e950434ee258f4b0a91

SHA512
7265204c2b89f62210975730ba583d6b1993c6497bb0020e799fdca00888315a8fb943b651edee2257e23268b9c6d1fd7c14ce0f842b058a74ef200cc307addf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat

Filesize
190B

MD5
019f49cf132a24c8c6add56f1dffae55

SHA1
fb93faed405fb9958b3037b220ceca003c99d03f

SHA256
818ee39bde523113f2c8659070619c03f8287f5afa439a92ba9c276058cf0747

SHA512
1613ca2a4932578b420365c517c05100b981f9efeb11911dc1747f078e26d8ca5b06175f06b8243971e807b6359c22064af0a4fe42c1f4c08076c33c82977e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\SvvYNrLnHE.bat

Filesize
190B

MD5
b9264ed4e8bdf23a9b4802d925fe2a23

SHA1
376ab97c1209a027504c5eedd85ed6fee6dbed59

SHA256
1c2964a44111c06f22d86ea6b38fa86273423812bb976390c52fa17f4504c8f8

SHA512
c1c07501c3fd511efcd12f14501db17504a81f255bb68bda78d2da805272bf2a7bff86f11cd17da62012a82367639f921e05507962b513a6a4e9f960e62f48e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat

Filesize
190B

MD5
c8722c5e98784105134e59256a239bc6

SHA1
2a6ce0a05aa06fd01e4e0b66608fbbba0880ddd8

SHA256
79526959b8558fec48404a06a7fbb8f5cd4458759931a4ecf6ad4726b9debd72

SHA512
656e62122c4a73f7ef9a2f5ff70b7863d5a5920196ee88768d10f6548def78fcb40490a02fc37b34157c41e909e365377753c1f4291a14a6e0857461209c7557

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDFAA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat

Filesize
190B

MD5
dc312716e445f7c8ee3f1a30d922a03d

SHA1
56e6b5a0adaf903b04a2bbb7c324e577bd4cfd5c

SHA256
f4e4cbc3239b9f93b2b7712ed571dcadf8d5811236850a04490474f5958cf08c

SHA512
8a77d33765db4f07aecc299659095a00136b1c69daa26ac60dbe950f56c378394a798a05421ca8feaee49e3f3b3fc2eb8957e92c6414c6f8cb84f38bd61144c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8a3f158b88f3d80c72c26e6d453bd224

SHA1
6f000f05fa6f3993dde1ab17d66c0db731925a18

SHA256
4e0715136703e4a9fe6a94c7cb9423e5169c24ce01580e7bd932f74cbbfeec96

SHA512
f984b1adf5c4e1ad5b1e48a7b41fd60a50e1b0133eac2e558407732ca18f5f8c35844e90ed355cbded68404706974b9df7cae2019f3a2f3b47eeef74de806215

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/708-80-0x0000000000E60000-0x0000000000F70000-memory.dmp

Filesize
1.1MB

Download
memory/796-63-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1460-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1460-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/1460-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/1460-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1460-13-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/1648-531-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/2024-591-0x0000000000B90000-0x0000000000CA0000-memory.dmp

Filesize
1.1MB

Download
memory/2092-61-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2156-412-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2300-234-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2932-174-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download