dcrat | b6ff1d14920aaa64ec52d0084291fd675d419fbe2c50b02584ebddbeed15cd80

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6ff1d14920aaa64ec52d0084291fd675d419fbe2c50b02584ebddbeed15cd80.exe
Size

1.3MB
MD5

0d5e03e18d3077212bc481423483ed69
SHA1

56b7145103204387842eb202036a148c3ed92185
SHA256

b6ff1d14920aaa64ec52d0084291fd675d419fbe2c50b02584ebddbeed15cd80
SHA512

5b2802240070da9bf5a1f3448f28ede439a91e944a0aaf1faaedc022d44f5db8542b6f5dae168b92fad87e6ae4ad505ab07c0e82c9d4088cebd1e8b7ac8476c3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2676	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2676	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001706d-9.dat	dcrat
behavioral1/memory/1368-13-0x00000000009B0000-0x0000000000AC0000-memory.dmp	dcrat
behavioral1/memory/1776-98-0x00000000008F0000-0x0000000000A00000-memory.dmp	dcrat
behavioral1/memory/2808-157-0x0000000000A80000-0x0000000000B90000-memory.dmp	dcrat
behavioral1/memory/1644-218-0x0000000000B00000-0x0000000000C10000-memory.dmp	dcrat
behavioral1/memory/2420-278-0x0000000000B20000-0x0000000000C30000-memory.dmp	dcrat
behavioral1/memory/2688-397-0x0000000000BE0000-0x0000000000CF0000-memory.dmp	dcrat
behavioral1/memory/2396-457-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/2224-517-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
836	powershell.exe
1972	powershell.exe
1840	powershell.exe
276	powershell.exe
1396	powershell.exe
948	powershell.exe
1916	powershell.exe
1048	powershell.exe
1968	powershell.exe
372	powershell.exe
932	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
1368	DllCommonsvc.exe
1776	WMIADAP.exe
2808	WMIADAP.exe
1644	WMIADAP.exe
2420	WMIADAP.exe
2976	WMIADAP.exe
2688	WMIADAP.exe
2396	WMIADAP.exe
2224	WMIADAP.exe
2180	WMIADAP.exe
2952	WMIADAP.exe
2428	WMIADAP.exe
884	WMIADAP.exe

Loads dropped DLL 2 IoCs

pid	Process
1780	cmd.exe
1780	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
31	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
28	raw.githubusercontent.com
35	raw.githubusercontent.com
39	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\101b941d020240	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PLA\Reports\it-IT\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\PLA\Reports\it-IT\explorer.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6ff1d14920aaa64ec52d0084291fd675d419fbe2c50b02584ebddbeed15cd80.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2532	schtasks.exe
2552	schtasks.exe
1428	schtasks.exe
2428	schtasks.exe
3000	schtasks.exe
2292	schtasks.exe
2356	schtasks.exe
1788	schtasks.exe
1560	schtasks.exe
1928	schtasks.exe
776	schtasks.exe
2764	schtasks.exe
1316	schtasks.exe
2756	schtasks.exe
2120	schtasks.exe
2884	schtasks.exe
868	schtasks.exe
1988	schtasks.exe
1796	schtasks.exe
2732	schtasks.exe
2140	schtasks.exe
2772	schtasks.exe
2696	schtasks.exe
2980	schtasks.exe
1296	schtasks.exe
2744	schtasks.exe
2720	schtasks.exe
1736	schtasks.exe
1908	schtasks.exe
2928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1368	DllCommonsvc.exe
1368	DllCommonsvc.exe
1368	DllCommonsvc.exe
276	powershell.exe
1048	powershell.exe
1916	powershell.exe
932	powershell.exe
948	powershell.exe
1396	powershell.exe
372	powershell.exe
1968	powershell.exe
1840	powershell.exe
1972	powershell.exe
836	powershell.exe
1776	WMIADAP.exe
2808	WMIADAP.exe
1644	WMIADAP.exe
2420	WMIADAP.exe
2976	WMIADAP.exe
2688	WMIADAP.exe
2396	WMIADAP.exe
2224	WMIADAP.exe
2180	WMIADAP.exe
2952	WMIADAP.exe
2428	WMIADAP.exe
884	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1368	DllCommonsvc.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	1776	WMIADAP.exe
Token: SeDebugPrivilege	2808	WMIADAP.exe
Token: SeDebugPrivilege	1644	WMIADAP.exe
Token: SeDebugPrivilege	2420	WMIADAP.exe
Token: SeDebugPrivilege	2976	WMIADAP.exe
Token: SeDebugPrivilege	2688	WMIADAP.exe
Token: SeDebugPrivilege	2396	WMIADAP.exe
Token: SeDebugPrivilege	2224	WMIADAP.exe
Token: SeDebugPrivilege	2180	WMIADAP.exe
Token: SeDebugPrivilege	2952	WMIADAP.exe
Token: SeDebugPrivilege	2428	WMIADAP.exe
Token: SeDebugPrivilege	884	WMIADAP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2500	1708	b6ff1d14920aaa64ec52d0084291fd675d419fbe2c50b02584ebddbeed15cd80.exe	31
PID 1708 wrote to memory of 2500	1708	b6ff1d14920aaa64ec52d0084291fd675d419fbe2c50b02584ebddbeed15cd80.exe	31
PID 1708 wrote to memory of 2500	1708	b6ff1d14920aaa64ec52d0084291fd675d419fbe2c50b02584ebddbeed15cd80.exe	31
PID 1708 wrote to memory of 2500	1708	b6ff1d14920aaa64ec52d0084291fd675d419fbe2c50b02584ebddbeed15cd80.exe	31
PID 2500 wrote to memory of 1780	2500	WScript.exe	32
PID 2500 wrote to memory of 1780	2500	WScript.exe	32
PID 2500 wrote to memory of 1780	2500	WScript.exe	32
PID 2500 wrote to memory of 1780	2500	WScript.exe	32
PID 1780 wrote to memory of 1368	1780	cmd.exe	34
PID 1780 wrote to memory of 1368	1780	cmd.exe	34
PID 1780 wrote to memory of 1368	1780	cmd.exe	34
PID 1780 wrote to memory of 1368	1780	cmd.exe	34
PID 1368 wrote to memory of 1916	1368	DllCommonsvc.exe	66
PID 1368 wrote to memory of 1916	1368	DllCommonsvc.exe	66
PID 1368 wrote to memory of 1916	1368	DllCommonsvc.exe	66
PID 1368 wrote to memory of 948	1368	DllCommonsvc.exe	67
PID 1368 wrote to memory of 948	1368	DllCommonsvc.exe	67
PID 1368 wrote to memory of 948	1368	DllCommonsvc.exe	67
PID 1368 wrote to memory of 1396	1368	DllCommonsvc.exe	68
PID 1368 wrote to memory of 1396	1368	DllCommonsvc.exe	68
PID 1368 wrote to memory of 1396	1368	DllCommonsvc.exe	68
PID 1368 wrote to memory of 276	1368	DllCommonsvc.exe	69
PID 1368 wrote to memory of 276	1368	DllCommonsvc.exe	69
PID 1368 wrote to memory of 276	1368	DllCommonsvc.exe	69
PID 1368 wrote to memory of 1840	1368	DllCommonsvc.exe	70
PID 1368 wrote to memory of 1840	1368	DllCommonsvc.exe	70
PID 1368 wrote to memory of 1840	1368	DllCommonsvc.exe	70
PID 1368 wrote to memory of 932	1368	DllCommonsvc.exe	71
PID 1368 wrote to memory of 932	1368	DllCommonsvc.exe	71
PID 1368 wrote to memory of 932	1368	DllCommonsvc.exe	71
PID 1368 wrote to memory of 372	1368	DllCommonsvc.exe	72
PID 1368 wrote to memory of 372	1368	DllCommonsvc.exe	72
PID 1368 wrote to memory of 372	1368	DllCommonsvc.exe	72
PID 1368 wrote to memory of 1048	1368	DllCommonsvc.exe	73
PID 1368 wrote to memory of 1048	1368	DllCommonsvc.exe	73
PID 1368 wrote to memory of 1048	1368	DllCommonsvc.exe	73
PID 1368 wrote to memory of 1972	1368	DllCommonsvc.exe	74
PID 1368 wrote to memory of 1972	1368	DllCommonsvc.exe	74
PID 1368 wrote to memory of 1972	1368	DllCommonsvc.exe	74
PID 1368 wrote to memory of 1968	1368	DllCommonsvc.exe	77
PID 1368 wrote to memory of 1968	1368	DllCommonsvc.exe	77
PID 1368 wrote to memory of 1968	1368	DllCommonsvc.exe	77
PID 1368 wrote to memory of 836	1368	DllCommonsvc.exe	78
PID 1368 wrote to memory of 836	1368	DllCommonsvc.exe	78
PID 1368 wrote to memory of 836	1368	DllCommonsvc.exe	78
PID 1368 wrote to memory of 2236	1368	DllCommonsvc.exe	88
PID 1368 wrote to memory of 2236	1368	DllCommonsvc.exe	88
PID 1368 wrote to memory of 2236	1368	DllCommonsvc.exe	88
PID 2236 wrote to memory of 2068	2236	cmd.exe	90
PID 2236 wrote to memory of 2068	2236	cmd.exe	90
PID 2236 wrote to memory of 2068	2236	cmd.exe	90
PID 2236 wrote to memory of 1776	2236	cmd.exe	91
PID 2236 wrote to memory of 1776	2236	cmd.exe	91
PID 2236 wrote to memory of 1776	2236	cmd.exe	91
PID 1776 wrote to memory of 1668	1776	WMIADAP.exe	92
PID 1776 wrote to memory of 1668	1776	WMIADAP.exe	92
PID 1776 wrote to memory of 1668	1776	WMIADAP.exe	92
PID 1668 wrote to memory of 2140	1668	cmd.exe	94
PID 1668 wrote to memory of 2140	1668	cmd.exe	94
PID 1668 wrote to memory of 2140	1668	cmd.exe	94
PID 1668 wrote to memory of 2808	1668	cmd.exe	95
PID 1668 wrote to memory of 2808	1668	cmd.exe	95
PID 1668 wrote to memory of 2808	1668	cmd.exe	95
PID 2808 wrote to memory of 888	2808	WMIADAP.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b6ff1d14920aaa64ec52d0084291fd675d419fbe2c50b02584ebddbeed15cd80.exe
"C:\Users\Admin\AppData\Local\Temp\b6ff1d14920aaa64ec52d0084291fd675d419fbe2c50b02584ebddbeed15cd80.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\it-IT\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x5AAV3IRxs.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2236
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2068
      - C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe
        
        "C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2140
        
        C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe
        
        "C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"
        9⤵
        
        PID:888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2608
        
        C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe
        
        "C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"
        11⤵
        
        PID:1748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1368
        
        C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe
        
        "C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"
        13⤵
        
        PID:2424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1788
        
        C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe
        
        "C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
        15⤵
        
        PID:1056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2692
        
        C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe
        
        "C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat"
        17⤵
        
        PID:2884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2120
        
        C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe
        
        "C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat"
        19⤵
        
        PID:2564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2300
        
        C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe
        
        "C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0SbqORFfit.bat"
        21⤵
        
        PID:1792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1728
        
        C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe
        
        "C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
        23⤵
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1996
        
        C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe
        
        "C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"
        25⤵
        
        PID:1592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1800
        
        C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe
        
        "C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat"
        27⤵
        
        PID:2924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2588
        
        C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe
        
        "C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\Reports\it-IT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\Reports\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecfaa802810453f4253ea82b91eafc5f

SHA1
d7a0c8fcbffee70845539d3a410c92d6231e455f

SHA256
74c80f9b974e93be4624edeec69a56e7a371a02197f2cbf69aacc248a77336cb

SHA512
020c5307bafe79a5218625d19197ac1477fd05b4e1d7c2baf924b579189a497427f46607fec231e9f704f4257149e608934f1368179266d529a751ff6010bc1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
086798ad845e97cc43fda4d3c177e5e4

SHA1
ae372891f6e001ff4c2f1e080e84f02d5a9aff9d

SHA256
41dcbc7b4b8b07c5589f2b283b2e53d786a857497cb6c63499733f5205bed71b

SHA512
fa0008d976a650c8c0c90d5d2fa170fd554f710fab7b745e1c9660abe75b7570768202980f7eab6be142c24aca24806465b4e82f5e0661a0a668049f073d52ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
073cdaca575faf8b71a34d1b11f518b8

SHA1
733e6538fa34f12a01ad0ba0b9630643158ab21b

SHA256
7e8b1e2c9472f30a0c8829ab934b8d92c50831a3cecab35df8d40fe88f3f6351

SHA512
b63d0cbf7cb4ed4fd78141eab2ff76e77dfa93d4af0d7893b286e257962a6e70c6cecb364f7e70af17796ff121b6b7bcc42408de527adc078aa8e52ff554581e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24e3655e13590ff118415a67df641f77

SHA1
1cf6342c6f14a81b39b298b9bc9a23018aceb77a

SHA256
6a7a4fca17a973c9c0166d2e243d0220ea588d4e37a737e014bb51564fa676fd

SHA512
43cf79a92196f605e0ade79d066679c00e6797a9eda122d24045704eacd3d76e2f356b6bd7e17bd689340ba0231ca8ba659d2ccf4a8ff5ae72669208410034c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f37beebbf742b80e57a55b9fe578eb62

SHA1
e8fd61b339da2c45049acfd709aceb80c8a0fd4d

SHA256
ab421753d3b28308c7376130db865594e021f30e3a68ed9948f20308acbd3141

SHA512
a431cd0843cc11b188b0a6246e81d66d250fa8b4c087dc9d391e5c523c0b38346deeed2879142f7d08cd7ed4f3f8bb6a886a5bc41eb2ddb9d3c831d8b96c2118

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11ccc7e784d83bcdc1f1cc6717d359ed

SHA1
ea82bff9b672a40bad845b44caffea72a7de9293

SHA256
bddc4c46a616bb6f917fe0faff48c21eb75e92b65338ca1ec609026070c60230

SHA512
0341d5ead43f90f0cbafc2d42528b0f95a318fd39dc79ceaaaadbf337a69bfda750b15d9a755995d7bce6cb79b960817a8571164075975191a795fe3011d01b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50b5adeac7b995a694c8a206523d65cd

SHA1
cb1a80758de5c2bd759994b0515b3d06e909488d

SHA256
93b47129ebfb86684c0e0599111e522961e5b9ff5c90456c4a7b08ce56e54781

SHA512
82e21833ec0a4a86c7b0ffc90678be912c6d3d1fb5ea1ea27d2f10d9f7a24fc0b165dfe444a3e46154618ecb1173b3ea88e808996a81c6f575d1d93e1eee1cf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0273d00c3d2546b34276c4d382781ca

SHA1
3cce52162008e67fd43d97ec87834a2652ceec1b

SHA256
f86e4dbcd287bbf6ff0533efd087ad39e7a081c7c0b40cb3b3794370f2c5599a

SHA512
944e5c7c08b6bdef1759b2f29d5c6b62120721bf0cd4388d016a3fff1c8ac7375d0008c61f1357acc447ebb5050af4da3a08917f875412e1a98d8cb27dc688f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fd8fd159aff5e339a81cfc190de1617

SHA1
21c6494b6ecbe92de6566f99255c70faaced8767

SHA256
99a8dcee9ef87d6142f6ea0c794b0f9b9eb2602e2907aaafa46b607106e30d1b

SHA512
6167a77fe8d2a7da359bdfe17a92f5fb49c79d37f1c6c7f580426ff66c2cbf69909680479a593975f0d3f3489e11d792bab52c7db4feec8dee71ab4b027b0727

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c524a926d593a2c6e527fdfd4d059806

SHA1
d684676a3354bb4afc9d824a32fd5842535c3142

SHA256
f33c76e32069079870559b3375cf0fdff8940da7a738b9b4d70ff7fb0ee419c2

SHA512
d2f9dd58d3d2b232c7bac3497285c762d7a8f4288b9abf97c300bba95002945c26ff55296ae9339e55d7ed4a2e7d031851dd0dc9baf04fdab749bb3cb5f03dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\0SbqORFfit.bat

Filesize
227B

MD5
80c80928fb952e68ddbf31b4bb6d5ffa

SHA1
5d1e87972b788f744a2f03d466fd7db54632aab6

SHA256
812fefdd71cf66517488430e1c3fd514e43fea8a144f9587fdb5cc6d0dce4f66

SHA512
23dc91fbd27f8f8727c5c125e49832c66720cfc9a0414061cc2fe80999f177e23b98393bb676327a2b527652dc52ebc9ec3313ad91d7096f3cb157baf0e644c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat

Filesize
227B

MD5
d0468f9eb2c6f2923f0d35df97e6baf3

SHA1
9abb578f95b683648f4d6c753181c6fb33b163db

SHA256
a9969d1ffc5ab846873fcc721f4f0e1ff9a308a19b9959595a7ea86422c9b121

SHA512
2741c600974b155b87f8be8def2c1b259a10a80e9e336c5de760bc5091033ce4b90cf4bf0b1ff198a5f3c9d29b5bef33e309f5e6d1605f61474312f5f16ce533

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat

Filesize
227B

MD5
950619572f1fd93e4f7907013e22116a

SHA1
9e430a2c042af82f6d48aeea5ab54f2d33fd5eb5

SHA256
38b5597a8e4401ca926d2be30c3348c45176800d87fd31b5f5d730e3aacfd2dd

SHA512
79a392a3b4552073b58ef568eba55657ec18515098e694ec53e2e8c945f40ce27aaa28d66a899a093730f4095168c6ff0f707559f77c7037155958b088955db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2703.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat

Filesize
227B

MD5
eba98014013a77055402dd10ff48aca3

SHA1
75fdedf141be9b942c1e7055f7e1df8197a16c70

SHA256
f18f1b40016c891eb39c238ac375135bbb2b937493ace258ddc2734f05a4730b

SHA512
91bf22f79eaf682e16313ea00e88c3d9aada327f95ee30725f4bfa6f3bb6c87733f007650452846036550c6e8b0826ca2d639c0b80286e171d33f127c7ac2c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat

Filesize
227B

MD5
ca270f9c419cf169470d55814b108cf8

SHA1
e807fcf6a700db7f04bacc0330988e69c87ff05a

SHA256
92206a0d35605b7037994c0b0de276879c0d29385bfa3682570970c240e406a1

SHA512
a42c4ed36d8937244dfa1ad2c7f5a03c85d31039c18a6361157f81ec91e08dc23feae3acfa05de721996c1a60cac4d48843b045cca70e128f7a6e37c2ee6f853

Download Submit
C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

Filesize
227B

MD5
5eec5c9be996c6591d5a6765773671b3

SHA1
6d6319ed9a5af09ae62d5430946a26d4bfec960f

SHA256
570303456b9a7be089c61e007fdf12876c9c734125575266153b7da4691f7692

SHA512
540145b6f7ea17f60d9c820d49954d7d7fdfba248ca5139a3d03de36cd5ac5ce9361a303355834e30c62a292e42c538064631cf5577fc7b0eee7dda3f22e4296

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2725.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat

Filesize
227B

MD5
eb44199d3813204fdc4e10f1064003ca

SHA1
c4d24015acd52884611f2a298d216f303492a22f

SHA256
d81741218ece6908e949691ccf456ce79028f6f17752daabda8704543acf72e2

SHA512
cb2d7afc00cc259be401602819bed82dc5f63cadbe70c9f8e34682553bb0a0875fd04e5ec4f2fb61d0256dc4d5b873f33bf831189eb819d6ec5e999cbe53ce3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat

Filesize
227B

MD5
817f2ff9903c18440044fa32ed4fff1a

SHA1
1f004cdbb37471b58f89c02832d2c97be84e68ea

SHA256
ef99ee27de1afd08077582c98fd0adce137db50eaa9ffdba4602cd50b2d28c5c

SHA512
1d2eabe219583aa5c042095a5e00fd04853371072ae1c5d591adf70e889425da5a9b38e5485bed7c4624f8768338b5294de54831bf6abb3e83994afc61c7820a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

Filesize
227B

MD5
1552fbb1522fc75e98ee5aac05a4427a

SHA1
3ef3f40c5d18b929e3729d299cd3090e96358962

SHA256
6272183ba7f1f8b37451222a5af1553b23f03da2c82826a39ba2685e99b3ff51

SHA512
442143cf5cada599cb0fedccbc7f5579c217f69fb85a1cd08b36438c5a599b81b87e1480ba7ea2cb893056a75828dfbf5bfb2a0325ea608e5da6aed425aa8638

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat

Filesize
227B

MD5
fbbb4608770bb3bdc7893a478903a55a

SHA1
98ec6af608315c19bae5d039e9199abe3b663245

SHA256
7308d9b3bc35d83067301e3bec58e5c70e995f044a543e3a98419246a0b4cc80

SHA512
bcb64d69f628e18c18af6f4c22f8380f1450366864536409a129e898243a32a6e4f38bbf8e89487b96e97687ab2cf9474710a9423d2f636ede91882adc6b4073

Download Submit
C:\Users\Admin\AppData\Local\Temp\x5AAV3IRxs.bat

Filesize
227B

MD5
edde33fe91dec8aec5ee7db6d6ca2e41

SHA1
280d39d03a882c923e13086714556bde230da712

SHA256
df64d8b257a1b8be04d2154a51a904047c7dfcd12589a2a3c01a93f98cc3896b

SHA512
d01b19d1de50b77b0f5f799fcc505352ee7050d41b334e8c3354b38906bab6ded283c88d32667287bcb18b336801684d5226e806eb202cd453d70f09162a79bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat

Filesize
227B

MD5
941facc77feb1d12038d1ee9b127754f

SHA1
86c03508e8a2a0f69d77b90933ecfa3b472dea21

SHA256
44e32850d1136a1c739e107ebd853459a72896ba7462fe69bfcccabba750525f

SHA512
858665d2f03da8148d5302bfb4cfa045210912f2a077eba2dc3eecc5a8cd9a48fefc5d5a3dec8a2a8b6749fae41d687a3e3374ae9ec87d58397fca9ea26b84d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ec9ac628b4bbbf0d8c1c3f50dc97ef03

SHA1
e102b509b7c060d5e2762afd370820f144feacb3

SHA256
ab895d8e1c24034efc8a856180b0632a7c4135eacefbe6ca8a86b815fe46b2fa

SHA512
03f7331747413cf4c13989bb62351b89d7b6ad5411aed84dfc4bdbf3b6faa0f310c2df8ac1e1f80e87bc127bd1c39859e3d3bbd0d8c55a997a3a96b4dd4dc4af

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/276-55-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/276-54-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/1368-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/1368-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/1368-13-0x00000000009B0000-0x0000000000AC0000-memory.dmp

Filesize
1.1MB

Download
memory/1368-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1368-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/1644-218-0x0000000000B00000-0x0000000000C10000-memory.dmp

Filesize
1.1MB

Download
memory/1776-98-0x00000000008F0000-0x0000000000A00000-memory.dmp

Filesize
1.1MB

Download
memory/2180-577-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2224-517-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/2396-457-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/2420-278-0x0000000000B20000-0x0000000000C30000-memory.dmp

Filesize
1.1MB

Download
memory/2688-397-0x0000000000BE0000-0x0000000000CF0000-memory.dmp

Filesize
1.1MB

Download
memory/2808-157-0x0000000000A80000-0x0000000000B90000-memory.dmp

Filesize
1.1MB

Download
memory/2808-158-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download