dcrat | 86eae040beb18bc6f0f04fa97812596de4cfb50fbd6fcefd78b4a7e8fe5b5153

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_86eae040beb18bc6f0f04fa97812596de4cfb50fbd6fcefd78b4a7e8fe5b5153.exe
Size

1.3MB
MD5

abfa470df4302c4a4e59db657d0f3b11
SHA1

ccaea45e29e93bd40948f3324e5c51921cb4ea88
SHA256

86eae040beb18bc6f0f04fa97812596de4cfb50fbd6fcefd78b4a7e8fe5b5153
SHA512

de8c4580d5913929062449fb7cde09fb9190c238baabdf449719b1b7c438fe97751074df45b73e728913f39374151f974ca6f3ac2a5037b42674572fdb9e9c2e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2720	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000186c8-9.dat	dcrat
behavioral1/memory/2536-13-0x00000000009B0000-0x0000000000AC0000-memory.dmp	dcrat
behavioral1/memory/1336-110-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/2256-169-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/584-229-0x00000000012A0000-0x00000000013B0000-memory.dmp	dcrat
behavioral1/memory/1972-526-0x00000000012D0000-0x00000000013E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1548	powershell.exe
2004	powershell.exe
2780	powershell.exe
2220	powershell.exe
1388	powershell.exe
1160	powershell.exe
584	powershell.exe
1348	powershell.exe
1952	powershell.exe
2596	powershell.exe
2704	powershell.exe
2564	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2536	DllCommonsvc.exe
2824	DllCommonsvc.exe
1336	conhost.exe
2256	conhost.exe
584	conhost.exe
600	conhost.exe
1640	conhost.exe
3028	conhost.exe
2828	conhost.exe
1972	conhost.exe
1356	conhost.exe
548	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1916	cmd.exe
1916	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
16	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
30	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\088424020bedd6	DllCommonsvc.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..onservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_10cc81fab60cae26\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Help\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\ShellBrd\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\ShellBrd\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Windows\Help\088424020bedd6	DllCommonsvc.exe
File opened for modification	C:\Windows\de-DE\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\b75386f1303e64	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\OSPPSVC.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_86eae040beb18bc6f0f04fa97812596de4cfb50fbd6fcefd78b4a7e8fe5b5153.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2728	schtasks.exe
2252	schtasks.exe
2588	schtasks.exe
1976	schtasks.exe
1864	schtasks.exe
2836	schtasks.exe
2624	schtasks.exe
1176	schtasks.exe
2576	schtasks.exe
2456	schtasks.exe
1932	schtasks.exe
2976	schtasks.exe
2980	schtasks.exe
2040	schtasks.exe
3000	schtasks.exe
1124	schtasks.exe
2768	schtasks.exe
2872	schtasks.exe
672	schtasks.exe
2244	schtasks.exe
1612	schtasks.exe
2740	schtasks.exe
1308	schtasks.exe
1648	schtasks.exe
2812	schtasks.exe
1748	schtasks.exe
1248	schtasks.exe
2320	schtasks.exe
1500	schtasks.exe
2888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2536	DllCommonsvc.exe
2536	DllCommonsvc.exe
2536	DllCommonsvc.exe
2004	powershell.exe
1548	powershell.exe
1952	powershell.exe
1160	powershell.exe
1388	powershell.exe
1348	powershell.exe
584	powershell.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2704	powershell.exe
2564	powershell.exe
2780	powershell.exe
2596	powershell.exe
2220	powershell.exe
1336	conhost.exe
2256	conhost.exe
584	conhost.exe
600	conhost.exe
1640	conhost.exe
3028	conhost.exe
2828	conhost.exe
1972	conhost.exe
1356	conhost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	DllCommonsvc.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2824	DllCommonsvc.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	1336	conhost.exe
Token: SeDebugPrivilege	2256	conhost.exe
Token: SeDebugPrivilege	584	conhost.exe
Token: SeDebugPrivilege	600	conhost.exe
Token: SeDebugPrivilege	1640	conhost.exe
Token: SeDebugPrivilege	3028	conhost.exe
Token: SeDebugPrivilege	2828	conhost.exe
Token: SeDebugPrivilege	1972	conhost.exe
Token: SeDebugPrivilege	1356	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2328	1976	JaffaCakes118_86eae040beb18bc6f0f04fa97812596de4cfb50fbd6fcefd78b4a7e8fe5b5153.exe	30
PID 1976 wrote to memory of 2328	1976	JaffaCakes118_86eae040beb18bc6f0f04fa97812596de4cfb50fbd6fcefd78b4a7e8fe5b5153.exe	30
PID 1976 wrote to memory of 2328	1976	JaffaCakes118_86eae040beb18bc6f0f04fa97812596de4cfb50fbd6fcefd78b4a7e8fe5b5153.exe	30
PID 1976 wrote to memory of 2328	1976	JaffaCakes118_86eae040beb18bc6f0f04fa97812596de4cfb50fbd6fcefd78b4a7e8fe5b5153.exe	30
PID 2328 wrote to memory of 1916	2328	WScript.exe	31
PID 2328 wrote to memory of 1916	2328	WScript.exe	31
PID 2328 wrote to memory of 1916	2328	WScript.exe	31
PID 2328 wrote to memory of 1916	2328	WScript.exe	31
PID 1916 wrote to memory of 2536	1916	cmd.exe	33
PID 1916 wrote to memory of 2536	1916	cmd.exe	33
PID 1916 wrote to memory of 2536	1916	cmd.exe	33
PID 1916 wrote to memory of 2536	1916	cmd.exe	33
PID 2536 wrote to memory of 1548	2536	DllCommonsvc.exe	53
PID 2536 wrote to memory of 1548	2536	DllCommonsvc.exe	53
PID 2536 wrote to memory of 1548	2536	DllCommonsvc.exe	53
PID 2536 wrote to memory of 2004	2536	DllCommonsvc.exe	54
PID 2536 wrote to memory of 2004	2536	DllCommonsvc.exe	54
PID 2536 wrote to memory of 2004	2536	DllCommonsvc.exe	54
PID 2536 wrote to memory of 1952	2536	DllCommonsvc.exe	55
PID 2536 wrote to memory of 1952	2536	DllCommonsvc.exe	55
PID 2536 wrote to memory of 1952	2536	DllCommonsvc.exe	55
PID 2536 wrote to memory of 1348	2536	DllCommonsvc.exe	57
PID 2536 wrote to memory of 1348	2536	DllCommonsvc.exe	57
PID 2536 wrote to memory of 1348	2536	DllCommonsvc.exe	57
PID 2536 wrote to memory of 584	2536	DllCommonsvc.exe	59
PID 2536 wrote to memory of 584	2536	DllCommonsvc.exe	59
PID 2536 wrote to memory of 584	2536	DllCommonsvc.exe	59
PID 2536 wrote to memory of 1160	2536	DllCommonsvc.exe	60
PID 2536 wrote to memory of 1160	2536	DllCommonsvc.exe	60
PID 2536 wrote to memory of 1160	2536	DllCommonsvc.exe	60
PID 2536 wrote to memory of 1388	2536	DllCommonsvc.exe	61
PID 2536 wrote to memory of 1388	2536	DllCommonsvc.exe	61
PID 2536 wrote to memory of 1388	2536	DllCommonsvc.exe	61
PID 2536 wrote to memory of 2824	2536	DllCommonsvc.exe	63
PID 2536 wrote to memory of 2824	2536	DllCommonsvc.exe	63
PID 2536 wrote to memory of 2824	2536	DllCommonsvc.exe	63
PID 2824 wrote to memory of 2780	2824	DllCommonsvc.exe	81
PID 2824 wrote to memory of 2780	2824	DllCommonsvc.exe	81
PID 2824 wrote to memory of 2780	2824	DllCommonsvc.exe	81
PID 2824 wrote to memory of 2596	2824	DllCommonsvc.exe	82
PID 2824 wrote to memory of 2596	2824	DllCommonsvc.exe	82
PID 2824 wrote to memory of 2596	2824	DllCommonsvc.exe	82
PID 2824 wrote to memory of 2704	2824	DllCommonsvc.exe	83
PID 2824 wrote to memory of 2704	2824	DllCommonsvc.exe	83
PID 2824 wrote to memory of 2704	2824	DllCommonsvc.exe	83
PID 2824 wrote to memory of 2564	2824	DllCommonsvc.exe	86
PID 2824 wrote to memory of 2564	2824	DllCommonsvc.exe	86
PID 2824 wrote to memory of 2564	2824	DllCommonsvc.exe	86
PID 2824 wrote to memory of 2220	2824	DllCommonsvc.exe	88
PID 2824 wrote to memory of 2220	2824	DllCommonsvc.exe	88
PID 2824 wrote to memory of 2220	2824	DllCommonsvc.exe	88
PID 2824 wrote to memory of 1972	2824	DllCommonsvc.exe	91
PID 2824 wrote to memory of 1972	2824	DllCommonsvc.exe	91
PID 2824 wrote to memory of 1972	2824	DllCommonsvc.exe	91
PID 1972 wrote to memory of 2476	1972	cmd.exe	93
PID 1972 wrote to memory of 2476	1972	cmd.exe	93
PID 1972 wrote to memory of 2476	1972	cmd.exe	93
PID 1972 wrote to memory of 1336	1972	cmd.exe	94
PID 1972 wrote to memory of 1336	1972	cmd.exe	94
PID 1972 wrote to memory of 1336	1972	cmd.exe	94
PID 1336 wrote to memory of 3068	1336	conhost.exe	95
PID 1336 wrote to memory of 3068	1336	conhost.exe	95
PID 1336 wrote to memory of 3068	1336	conhost.exe	95
PID 3068 wrote to memory of 528	3068	cmd.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_86eae040beb18bc6f0f04fa97812596de4cfb50fbd6fcefd78b4a7e8fe5b5153.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_86eae040beb18bc6f0f04fa97812596de4cfb50fbd6fcefd78b4a7e8fe5b5153.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UZFO1tMwFX.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2476
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:528
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat"
        10⤵
        
        PID:1812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2616
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"
        12⤵
        
        PID:2160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2572
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat"
        14⤵
        
        PID:380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3056
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"
        16⤵
        
        PID:2484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:612
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat"
        18⤵
        
        PID:396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2564
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat"
        20⤵
        
        PID:988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2576
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"
        22⤵
        
        PID:2336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2328
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"
        24⤵
        
        PID:2960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2456
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe"
        25⤵
        Executes dropped EXE
        
        PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Help\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba46a42753f01b11eef67d9a0be04884

SHA1
99a7c3b2c3bb343a4e416d82b47ea6c195050cc9

SHA256
be6696d10de619efda7baf19daebbad367f407cda5aedb7b8b8dc8dc11819460

SHA512
6c91d3726f6edb8952098cbc5d708258f0519d4c3d8abfe910d6122cdfcc319eb0122b70f30cfc8b87a3a8c42f9193d0f0d5bebb2895914f04ab81e97f81f961

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0dcf0102ebf8749321da6121b4df72d5

SHA1
fffe98475df6d32902e554023e793159b68ecaf7

SHA256
bda4b5952a2fe9e78a1cad593a727fd7f67cad0d92dd1922fcc9d2632324c0a0

SHA512
dde503f4e5cc9f08c3828c6e9375a9a14d19941af544f16c4918e6a8c661693d95e7ac9a99637e8a93711d8b8225c45fb92884b3c1401a1b89a50c22228fb186

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6919f8e867ffe401b75d78b4bc40c869

SHA1
7bda3969680c7379623649b4c51c9e034cdab860

SHA256
da6018d093b21af1a6d7b43a862de4714a27ddf0566ebf05d0927799f2418ac6

SHA512
2fb322465b628cd092ebf626419141ccd98e19f1cf891e8733d971f12401f3330b1ae8a2791ce7dd1ab6c478cde6a53e3d5286ee7f46c500cded8af1c46c7739

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
274fbc6b5e973fbe7c680c218e0441a9

SHA1
df32166a0532cbd6bb7cd8aa0657e355fdddd62d

SHA256
198068525093d67275d86ac074718f20eed462b66fffcbd351e8f5dc560a9ef8

SHA512
19927f42c020a84e3a8344b63e89e4d442ec74a466d00ff985c9e461c3c2875764e5f77571f66029d16b6d0ee68a05e0b84490a2ea97847a13a34c2845bb00ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3ab3385a194fbd7ad69b7b8c6762769

SHA1
3ec2d560527bcca01ec150c11d50991cabddc8cd

SHA256
866af9b642f15411164c4be529197e2a31ac100901fa72f3c4caf62f7e2ee9df

SHA512
f1c7e14792dd6386e04cb2d1ff4385f2ff064454e361d748ea24967c4d67fdfff3a40652b991d5706bc98c5e8f4b4c51270e9a8d43a111b493491b7dc303f58c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46660c92a0d37bac90d2039873985c23

SHA1
efeeafbe88640a0b47b25de1646692dc9cbd0a60

SHA256
5142bf1f1475a22f6e50dd9a953f5adce2cce7120a45febf48a1aa29bbedbeff

SHA512
bccf72a2a9aa304ee681831551cb75627f6a48ea735687fa9c3a25ab9c5ab1baef335f05b90caa6cffd3a405248d48d97cab3a80c6ed9d3edd0fbffdcd369e6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fafc599597a14224154c1d20367026d

SHA1
66dfac4fa20828077b601fe7fb5988632f66e565

SHA256
f7e9ffd8f41b103ca4d8cbcfe32bb8d7ee5a5bfa0b87ebda9077c002b4482380

SHA512
276635417a2885c8d4e9f0f384a8969b417d60b8ffc96087d09a80b15cce6d738cad0c818acf2d978ae0fb86c52daf4cc0331550a8cc75ae4f1d63fd3041e7b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05594132c37c8468ac5857d86b5cc15e

SHA1
30604b3a873bc2935c8c81085d19b04e923979ce

SHA256
12dd4312ee3cbe12219b1922f4d77842e49141e7751deef12dee8ac5383e19d7

SHA512
4ad35234d494dd7a13a82e3facd34f2561cf88e7c3e70e7d105ea61b54b42be9448b6f6d6a333b1d88237b8c9af30227d0315d7427090fe78628e417b4e637c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat

Filesize
237B

MD5
731b941eb40e2323cd5139ea81fe8772

SHA1
56e16b2ffe9cfd3fdae87340cdd9b8c5a4e68ca3

SHA256
837b49a2c0d1ff51b1e5b88ae2fda636d7c69fceb153609a0429468b764c31cf

SHA512
2ca6a488d2c9eca7dca2d306de16448df4553d42eff192b876135a3b23315fb09761c4181edf18d46fe264bf2ac1eb863d188641a175c6e3ccd0cdc98b947dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF6FE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat

Filesize
237B

MD5
78e204e19e2121e2bc0b8a0a6868536a

SHA1
67cf0e357adda1cf43c591f0bb115c7d2331b2f0

SHA256
bb8b2b5a10901dbe5f91bd582ca43128c43192922422a7cf20a26d28c024ee2c

SHA512
fa55698b4972bc353922b719bf36454842802f55f6e5527399f83efb9e2f2e4e02dff077c81f7778bb87d37468e2729d28aa6a8c1586cc3fe54680dd5959e449

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF711.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UZFO1tMwFX.bat

Filesize
237B

MD5
ccecb1234bcc1a17ffe098da00742d28

SHA1
ce0235cdae338367172c45a068a07704e9e5b129

SHA256
58045b17aa3dbad6f0c416c6e74752b9b78f495bf97052251ffb3271cc0c4249

SHA512
3984b3a263dc52b4e9d639a139950a05a66f1a96f1fa630060982f9620b89575a1ade75bd59409a04571c2ae9f9af88f1d2dee7c12080cbfb9e7e8b71a8a2d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat

Filesize
237B

MD5
b71adc9a044d1a41ac421bb5f7be092e

SHA1
387ac938ef4b489d10a296952a06ccb279a94608

SHA256
00d21f233c866897e033df49cfed50a964637fe4fea595818ac902fe9ce70502

SHA512
22b0abd13e1c626c91b1a8c31caf8cb272a67ebd96954cb76e6d3048ab90b50c0d588ee4d40b33c3e146b199f8eaeb9bdf6df361da2a161ab525663653f065ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat

Filesize
237B

MD5
b4f899f5e87dc52872fba01a46078d58

SHA1
04b2d808edb367ad2cf189133ccbae146c801653

SHA256
c0f84350156d9755c74694400e08ef6a78af72f8edbdda1353005bbacdc35a4d

SHA512
044b172dc1a4ee91dfde81e9dae7e6c4a08d00b058c211f99685e1b23400e35f7335b3ff0df710eed3d7a81839f29291e5d689614e146490f967e7536a77f93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat

Filesize
237B

MD5
a7d6ce5ae6665fc69a261b795e255c25

SHA1
6f458e02e5fd1209f222eb8de763b01a4e411015

SHA256
38d4a718281193689745880781cf67a9723d31c90ea92a24da2516e5d3b035e8

SHA512
93a90585737ffbd392e461caed257817c60c57b98abded40d301b9b8d29caa375625db7b9922ad38176ab69662dd02472e2e7b046bdbf47357a3981075b1a8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat

Filesize
237B

MD5
0d0340ee1cae17bf3e9e6c360b925508

SHA1
1b69c9e0332a68cdca5920029e2659804c4a858d

SHA256
cc070283c430daedf62bf0dea5cfb43c73aa138c8ef43122117706b138a95130

SHA512
d464866ace050cd895a60bba2de082f5b14e75c111d063bfed2abdbe669c820a439c768b8fe2fe5cbfa16fc03b37c280ac3eb5c50b3544a7e123ae2d9f028b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat

Filesize
237B

MD5
4bd5ddb9fc1be816daf1685e91e173fd

SHA1
953f134d3c0f7db1f76928177af4359d354b1902

SHA256
b68ebbe14a8c4dc185cb83347b5f74e02894c27e14c91429a006be51c17194c4

SHA512
93a7e6d8dab481d2a8fb0650297694fe24502a12b803e492aa508fdec6826f91a215af8024047e038125624961195d8fa637a5b951d5145b534394737a1e760d

Download Submit
C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat

Filesize
237B

MD5
54fb0b4d87fc31fab6506ac2ee050678

SHA1
9250674607ffd1fb517c32da5bec59096a1fadeb

SHA256
4733c1f1e3dc42dbfe4fd50e80d99e7465ef04e5341e888d5754cd27260e777e

SHA512
4671ee65cb019a03b3950ff68246e56f6786bbc3c24990103c9e9ec262c5479a1b89c72104234ff9c07e4dd05b7934506787facbbabd9ce074d1ed33fe37a389

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

Filesize
237B

MD5
211b2c718b2183236b8eadb94f16e7ee

SHA1
d1b01959596bfe337fe5d5cfeb3e822297a753eb

SHA256
b0ec2bc005610511675d69b0271e0c295c7bd24c5792f6c8859f522e552a36f2

SHA512
f6c38e8a89efef367bb66bd2a7ecddc3e22b718303a496affeb85845857a0f3ee963491c207b43b2cef9fa43214e1fd0120c2279ee5ddf69e0116e4fcdc0f300

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e35c45812655cd2bf891b258b6ae71a5

SHA1
f702248f078590ffe614a62a48b62a3c20862e2e

SHA256
5347df70fc5c77028d8038ec354f7b2105a6a2f88e7875e8d17057633a1d9642

SHA512
c51fe1cb25da40437e1013fe839dd1090ca399ba0edb1a1a0fc5eb234dc87948c873ccedcd407f08131f89a3bcc83af61fb2ed0cdfc33a78636272701b660093

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/584-229-0x00000000012A0000-0x00000000013B0000-memory.dmp

Filesize
1.1MB

Download
memory/1336-110-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/1356-587-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1972-527-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1972-526-0x00000000012D0000-0x00000000013E0000-memory.dmp

Filesize
1.1MB

Download
memory/2004-42-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2004-40-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2256-169-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2536-13-0x00000000009B0000-0x0000000000AC0000-memory.dmp

Filesize
1.1MB

Download
memory/2536-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2536-15-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2536-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2536-16-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/2704-96-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2704-90-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2824-67-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2828-466-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download