dcrat | f46480dc890d64a9d0ff2337da7003ee81789bf95f5eae53e0f7e7a8fed68f3a

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f46480dc890d64a9d0ff2337da7003ee81789bf95f5eae53e0f7e7a8fed68f3a.exe
Size

1.3MB
MD5

a18f65a9b23b6a8be1066b73b15922d4
SHA1

9a4e8fad3257be7b93282e9e86e377c655a8b767
SHA256

f46480dc890d64a9d0ff2337da7003ee81789bf95f5eae53e0f7e7a8fed68f3a
SHA512

cb74bbc357ba2a0eb55fdd8dba3b97f01830ddcc0cd23e8fae74af911133b69d2664644216f372591dcb67b4e364b964ac413db5a8d6d50cad94b09668dcaddd
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2936	schtasks.exe	33

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d1c-9.dat	dcrat
behavioral1/memory/2912-13-0x0000000000D40000-0x0000000000E50000-memory.dmp	dcrat
behavioral1/memory/2160-117-0x0000000000FF0000-0x0000000001100000-memory.dmp	dcrat
behavioral1/memory/2300-235-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/2732-295-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat
behavioral1/memory/2512-414-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/2584-474-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/3044-534-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2520	powershell.exe
2008	powershell.exe
2948	powershell.exe
2572	powershell.exe
2608	powershell.exe
2368	powershell.exe
2800	powershell.exe
564	powershell.exe
1596	powershell.exe
2300	powershell.exe
2776	powershell.exe
2064	powershell.exe
1420	powershell.exe
2388	powershell.exe
2028	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2912	DllCommonsvc.exe
2160	smss.exe
2240	smss.exe
2300	smss.exe
2732	smss.exe
2176	smss.exe
2512	smss.exe
2584	smss.exe
3044	smss.exe
2032	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2832	cmd.exe
2832	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\it-IT\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\it-IT\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\DllCommonsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\Tasks\System.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\Media\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\Media\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\assembly\System.exe	DllCommonsvc.exe
File created	C:\Windows\assembly\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\TAPI\smss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f46480dc890d64a9d0ff2337da7003ee81789bf95f5eae53e0f7e7a8fed68f3a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2056	schtasks.exe
3060	schtasks.exe
1732	schtasks.exe
1652	schtasks.exe
1144	schtasks.exe
1180	schtasks.exe
320	schtasks.exe
2272	schtasks.exe
1664	schtasks.exe
2620	schtasks.exe
3004	schtasks.exe
840	schtasks.exe
2580	schtasks.exe
2292	schtasks.exe
2296	schtasks.exe
1036	schtasks.exe
1740	schtasks.exe
2248	schtasks.exe
2260	schtasks.exe
2268	schtasks.exe
2220	schtasks.exe
2700	schtasks.exe
2992	schtasks.exe
2500	schtasks.exe
1948	schtasks.exe
2564	schtasks.exe
2804	schtasks.exe
2108	schtasks.exe
980	schtasks.exe
1252	schtasks.exe
1612	schtasks.exe
2204	schtasks.exe
1712	schtasks.exe
1424	schtasks.exe
1492	schtasks.exe
2060	schtasks.exe
752	schtasks.exe
2464	schtasks.exe
2768	schtasks.exe
2132	schtasks.exe
1768	schtasks.exe
2640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2912	DllCommonsvc.exe
2572	powershell.exe
2008	powershell.exe
2776	powershell.exe
2064	powershell.exe
2800	powershell.exe
1596	powershell.exe
2608	powershell.exe
564	powershell.exe
2520	powershell.exe
2028	powershell.exe
1420	powershell.exe
2300	powershell.exe
2948	powershell.exe
2388	powershell.exe
2368	powershell.exe
2160	smss.exe
2240	smss.exe
2300	smss.exe
2732	smss.exe
2176	smss.exe
2512	smss.exe
2584	smss.exe
3044	smss.exe
2032	smss.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	DllCommonsvc.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2160	smss.exe
Token: SeDebugPrivilege	2240	smss.exe
Token: SeDebugPrivilege	2300	smss.exe
Token: SeDebugPrivilege	2732	smss.exe
Token: SeDebugPrivilege	2176	smss.exe
Token: SeDebugPrivilege	2512	smss.exe
Token: SeDebugPrivilege	2584	smss.exe
Token: SeDebugPrivilege	3044	smss.exe
Token: SeDebugPrivilege	2032	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 3068	2412	JaffaCakes118_f46480dc890d64a9d0ff2337da7003ee81789bf95f5eae53e0f7e7a8fed68f3a.exe	29
PID 2412 wrote to memory of 3068	2412	JaffaCakes118_f46480dc890d64a9d0ff2337da7003ee81789bf95f5eae53e0f7e7a8fed68f3a.exe	29
PID 2412 wrote to memory of 3068	2412	JaffaCakes118_f46480dc890d64a9d0ff2337da7003ee81789bf95f5eae53e0f7e7a8fed68f3a.exe	29
PID 2412 wrote to memory of 3068	2412	JaffaCakes118_f46480dc890d64a9d0ff2337da7003ee81789bf95f5eae53e0f7e7a8fed68f3a.exe	29
PID 3068 wrote to memory of 2832	3068	WScript.exe	30
PID 3068 wrote to memory of 2832	3068	WScript.exe	30
PID 3068 wrote to memory of 2832	3068	WScript.exe	30
PID 3068 wrote to memory of 2832	3068	WScript.exe	30
PID 2832 wrote to memory of 2912	2832	cmd.exe	32
PID 2832 wrote to memory of 2912	2832	cmd.exe	32
PID 2832 wrote to memory of 2912	2832	cmd.exe	32
PID 2832 wrote to memory of 2912	2832	cmd.exe	32
PID 2912 wrote to memory of 2572	2912	DllCommonsvc.exe	76
PID 2912 wrote to memory of 2572	2912	DllCommonsvc.exe	76
PID 2912 wrote to memory of 2572	2912	DllCommonsvc.exe	76
PID 2912 wrote to memory of 1420	2912	DllCommonsvc.exe	77
PID 2912 wrote to memory of 1420	2912	DllCommonsvc.exe	77
PID 2912 wrote to memory of 1420	2912	DllCommonsvc.exe	77
PID 2912 wrote to memory of 2064	2912	DllCommonsvc.exe	78
PID 2912 wrote to memory of 2064	2912	DllCommonsvc.exe	78
PID 2912 wrote to memory of 2064	2912	DllCommonsvc.exe	78
PID 2912 wrote to memory of 2520	2912	DllCommonsvc.exe	79
PID 2912 wrote to memory of 2520	2912	DllCommonsvc.exe	79
PID 2912 wrote to memory of 2520	2912	DllCommonsvc.exe	79
PID 2912 wrote to memory of 2608	2912	DllCommonsvc.exe	80
PID 2912 wrote to memory of 2608	2912	DllCommonsvc.exe	80
PID 2912 wrote to memory of 2608	2912	DllCommonsvc.exe	80
PID 2912 wrote to memory of 564	2912	DllCommonsvc.exe	81
PID 2912 wrote to memory of 564	2912	DllCommonsvc.exe	81
PID 2912 wrote to memory of 564	2912	DllCommonsvc.exe	81
PID 2912 wrote to memory of 2388	2912	DllCommonsvc.exe	83
PID 2912 wrote to memory of 2388	2912	DllCommonsvc.exe	83
PID 2912 wrote to memory of 2388	2912	DllCommonsvc.exe	83
PID 2912 wrote to memory of 2368	2912	DllCommonsvc.exe	85
PID 2912 wrote to memory of 2368	2912	DllCommonsvc.exe	85
PID 2912 wrote to memory of 2368	2912	DllCommonsvc.exe	85
PID 2912 wrote to memory of 2008	2912	DllCommonsvc.exe	86
PID 2912 wrote to memory of 2008	2912	DllCommonsvc.exe	86
PID 2912 wrote to memory of 2008	2912	DllCommonsvc.exe	86
PID 2912 wrote to memory of 2028	2912	DllCommonsvc.exe	87
PID 2912 wrote to memory of 2028	2912	DllCommonsvc.exe	87
PID 2912 wrote to memory of 2028	2912	DllCommonsvc.exe	87
PID 2912 wrote to memory of 1596	2912	DllCommonsvc.exe	88
PID 2912 wrote to memory of 1596	2912	DllCommonsvc.exe	88
PID 2912 wrote to memory of 1596	2912	DllCommonsvc.exe	88
PID 2912 wrote to memory of 2800	2912	DllCommonsvc.exe	98
PID 2912 wrote to memory of 2800	2912	DllCommonsvc.exe	98
PID 2912 wrote to memory of 2800	2912	DllCommonsvc.exe	98
PID 2912 wrote to memory of 2300	2912	DllCommonsvc.exe	99
PID 2912 wrote to memory of 2300	2912	DllCommonsvc.exe	99
PID 2912 wrote to memory of 2300	2912	DllCommonsvc.exe	99
PID 2912 wrote to memory of 2776	2912	DllCommonsvc.exe	100
PID 2912 wrote to memory of 2776	2912	DllCommonsvc.exe	100
PID 2912 wrote to memory of 2776	2912	DllCommonsvc.exe	100
PID 2912 wrote to memory of 2948	2912	DllCommonsvc.exe	101
PID 2912 wrote to memory of 2948	2912	DllCommonsvc.exe	101
PID 2912 wrote to memory of 2948	2912	DllCommonsvc.exe	101
PID 2912 wrote to memory of 2504	2912	DllCommonsvc.exe	106
PID 2912 wrote to memory of 2504	2912	DllCommonsvc.exe	106
PID 2912 wrote to memory of 2504	2912	DllCommonsvc.exe	106
PID 2504 wrote to memory of 2796	2504	cmd.exe	108
PID 2504 wrote to memory of 2796	2504	cmd.exe	108
PID 2504 wrote to memory of 2796	2504	cmd.exe	108
PID 2504 wrote to memory of 2160	2504	cmd.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f46480dc890d64a9d0ff2337da7003ee81789bf95f5eae53e0f7e7a8fed68f3a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f46480dc890d64a9d0ff2337da7003ee81789bf95f5eae53e0f7e7a8fed68f3a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\it-IT\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tjn55VIiTw.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2796
      - C:\Windows\TAPI\smss.exe
        
        "C:\Windows\TAPI\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat"
        7⤵
        
        PID:1536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:108
        
        C:\Windows\TAPI\smss.exe
        
        "C:\Windows\TAPI\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"
        9⤵
        
        PID:2412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:564
        
        C:\Windows\TAPI\smss.exe
        
        "C:\Windows\TAPI\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
        11⤵
        
        PID:2640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2068
        
        C:\Windows\TAPI\smss.exe
        
        "C:\Windows\TAPI\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
        13⤵
        
        PID:2752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2652
        
        C:\Windows\TAPI\smss.exe
        
        "C:\Windows\TAPI\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat"
        15⤵
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2044
        
        C:\Windows\TAPI\smss.exe
        
        "C:\Windows\TAPI\smss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"
        17⤵
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1564
        
        C:\Windows\TAPI\smss.exe
        
        "C:\Windows\TAPI\smss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat"
        19⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1108
        
        C:\Windows\TAPI\smss.exe
        
        "C:\Windows\TAPI\smss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
        21⤵
        
        PID:1720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2108
        
        C:\Windows\TAPI\smss.exe
        
        "C:\Windows\TAPI\smss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Documents\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Tasks\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Media\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\it-IT\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\NetHood\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\NetHood\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\assembly\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b826c869591339ec32b40e9798016c8

SHA1
baf6d7c66562e4e67572256910801deaedd5ae47

SHA256
ab051a264a3cad2ebf23df7cd3fa70b96b94da6a2e092d1f59ec81daa5b11859

SHA512
a9fc4e8420492f63157d07bed681a0ac91f353996fab3e7a244301a2a03edf4f345b0219e23b09f2b8379370a7572dd3aba2f52ab20228c91e02258883bfeabb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
795690cb0dc5a66413cac75e6be47c81

SHA1
35e4cc99ab249d128c4f8545d7cc67eebad4c064

SHA256
3cdfed4ef1ead38c79b7857e6e8b45d6e21d2d24b76b1043e271b9a443d15d54

SHA512
3465d59fb9801fe10de3211e4b1522ede6a4641d88885b5706aee756148fcba70f60041e2818aa5295f117e767515ee319b63696987bd0da89f609378b097e5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4907d6cee2ecfec4bfb030755107e7fb

SHA1
69897ef09b597d354a06aaeb8bd6dc445415ef25

SHA256
0058a44d6aa79f6d16f15a3629144bb28a4546b75c9cae51eab8ccd7d64c6ac7

SHA512
017990abf33d4974636630d0548b797946f531af840632d1d6e346a03deface52e70c871a2c2904a7d1d0a00393b45215133bdcddd2201fa3eb6ae63a82c3a8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b98fda15955afbfb4ed232911003601

SHA1
33b06c1894441e8e95f9882796c1634d836cf176

SHA256
c137b05c48135b8590438deb876bd1e630397fc14aa22820077e00f51cbfa2ee

SHA512
fd9fb294481a359993b3230f56386ebcae6859c60bea57055b4f33358d5dc79dff0c5db0f8f38e815f506eca5e2da89c4f557e492a1679ff35bab63881b36acb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
541b54534ebe453fe1a9675922cc8439

SHA1
6392fd3b0c574ed8ecf0428029c48a15b04b9d4e

SHA256
3c43bac23b0eac7552116af4ef09d9e5203b888e4e1579f519fd7640bf8c3a9e

SHA512
038d120f6ab060d6f643dad779f836f435f179cf7382314e6ae27a560294cf231f65557ff9d85ff96bbe36d46c2a6f5ae2c90dacc22d1e907289399f9882493c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
177686c0051fe513a3323c6d77a79aac

SHA1
f64daa5a4915580e8c725d4ad5d59d9467251564

SHA256
9978968d2de134d7f528aa18190b346331abec164261fbf210db6462582b8179

SHA512
46644501f49a1040c9826d4b35fcf36ff281c8236d137e84288779f09187dd8e44550b824645b02d10b2601a5ac853092c65f12c29610f1f863432a73e367470

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33ae8d1de6babf2d8e5d2e3fe85a3519

SHA1
cb092ba9461c72d992aefbbcd03730dc0c69b45b

SHA256
22c9182d01123ce3c3cfe27a8e9486459da5c814b59d8bcb4282e8998df73f86

SHA512
92db0d03de90b05c4305e8ea9aafa7dcb8f9a4d8e359f628bf8fb34e434fd36ba4a0130149e684fbdc4a01fb3a9a6b79e5c65ab0e6afd7cbdc377913bfca498c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat

Filesize
189B

MD5
a1daf15add0f0ea7351737945538e1c7

SHA1
14c20b46b5fc6f961ca6ef32a62d27934ee090d9

SHA256
3092a016f0f20cf85e9582c458c82f7452b2c84f7ac00559d252faac2d29e2c2

SHA512
c74a10b09ab629209ca67dfcd1c0cebaad5d26cbb3944f85f9df2e36dab79c709f1cfa122a6d99eec982050ff5775d4cb5d5af7fcc308d653ed549eef130d464

Download Submit
C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat

Filesize
189B

MD5
c53dee9fd304c55c4c81ca3671ed7c05

SHA1
5b79d9175bfde6e41f5b763dc832fbd701966687

SHA256
3cb977a83ec56f56164f642f5c9e7ed72f7a9a44f6ac1135ead226d43b4591d7

SHA512
3f5d495e32b84ad8740d4319a5027aa99df1e2abe0de404126942b77a9870a893c2f13832b85f95ad9346cbaddd07874da40dd9efb039c7bad7e3b978cbb699e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat

Filesize
189B

MD5
8a23d154e059a8f8a16b45921d739a31

SHA1
58703f4b1875e40c021ded0349793154baa05356

SHA256
29b509c4b78bb3109d76f91e057e85ee814708f171138998a60e0253cc92a028

SHA512
ce2501441bd3a397883fe629ac2b3ef20ed8b56d421c619f04791be88a01c9f62a192d2841e4d7c3d53f1e5e3ae2bb78c729d67fa0933049dd2ac2c58534b345

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab872C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

Filesize
189B

MD5
f93b3da2e43cf8aa8d1d13335351445e

SHA1
87da3df19bdb3c47b62a65fb45a3b2d6d0486ecf

SHA256
586622f2107ffdd92ede6495d2661ae5950a79171d0a08327d0f8e77c3b37b1b

SHA512
e9a6233f8f1f1da228ec7a32cc1c24feac478e7164a558cc7da07a80cf19e49201208cdc7da5633f000293577f606fdc4f7fc640bf7a30190f0de2594b6deb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar87BB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tjn55VIiTw.bat

Filesize
189B

MD5
60d2ec6c3f27d7ee99588345060ad305

SHA1
dbc23af4a9c09ef74c059bc2c219693fb226bffa

SHA256
7599608d2ebf9096d9326ce23e2b8007955ac14fc9ab234d5e6656604dde7178

SHA512
d7e0f23b09c442ac27f93ba5a496d7d6fc801b59290c76f2df479e220f44d6043d5acffcfd6fe18cc358c48c264eb3eb49742b6c932f9d0207161f821529246b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat

Filesize
189B

MD5
ca45a1469759b11d85c0c685cf8ee099

SHA1
e8934d3cc327b2dcb477f20e179a92894ac2cff0

SHA256
244984788e35dd16f78bd5829f54c0450937d0c15897a0d6b978024c8a3a5f90

SHA512
3e4d52340ea1b0a5c656eeb5e9c36393bf84e26fa658cc451e8503f71a6ca46e7779d34be9c71fcebf0771b2c070f99b823ae33e162c3c10f4d186b673241342

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

Filesize
189B

MD5
7e736bf371f1666035b4a4c7ff51c258

SHA1
05f2f5dede40a5a60073b5c04652340f7bd8b926

SHA256
9c313c5365f5a975449bf262850cc5bb1a6dea84316f1f158a1373489cd3fd74

SHA512
55a58c4bde163a8c2cdeaaab4364f9794c40f2a4a232148bec8bfa3b51db5d540e032b15348f31b144b91528c4f765a5e9ebd869f148a3912ab3c335417c7e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

Filesize
189B

MD5
8c7abfcd9d8c073e574faa00da937902

SHA1
830979050b07fdc4558934cb2ce53cb422cfe5ee

SHA256
03d5111a787dfef51b8ee1139e82a6bee8b339031a123661210e96bf7c82bae6

SHA512
3b3761974e1581c815d36d736f39aa1eb38a979e67884ab009d968a44b55831be51c48f14ddbd47835cdf74e7e6aaf2666f581e52cdef5513bdcdb206b1bd98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat

Filesize
189B

MD5
bb7d91232fb39c0c0dcba24db578e547

SHA1
bf4177bc96c05c13e67c86ae540d9668d94613de

SHA256
46db5484043be04ece4f03950ca8aee1876a1e7b4ec39e65f248ca2dc321062d

SHA512
2164972d27694a6860eb1750f2b5aef003a9e2864b528414a47f0f489a43ad5c29418a27261155a07aa3e21f464f024b1c5723531ee0103fc2e959c277227295

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6c498e426787520b93758ea6e7d02192

SHA1
c575904a1eb619e88a260cc9847d473052346653

SHA256
a24d7f1bfefd8c39609382872aff3c6002115263dd4adcc56c98694e2d078a46

SHA512
af1404355ea2582cbfd3a3735004a163f73f3ab6652fa5c2534a3b4b9dbff7abee6dd12c0598c2bc0bea3db129018d107eadb1cd255117793c60db7db1ddd63c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/2160-117-0x0000000000FF0000-0x0000000001100000-memory.dmp

Filesize
1.1MB

Download
memory/2300-235-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/2512-414-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/2572-94-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/2584-474-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/2608-114-0x0000000002140000-0x0000000002148000-memory.dmp

Filesize
32KB

Download
memory/2732-295-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download
memory/2912-17-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2912-16-0x0000000002480000-0x000000000248C000-memory.dmp

Filesize
48KB

Download
memory/2912-15-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2912-14-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/2912-13-0x0000000000D40000-0x0000000000E50000-memory.dmp

Filesize
1.1MB

Download
memory/3044-534-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/3044-535-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download