dcrat | 226cee52d6d8350bdf6e3c8dbc3d0620ec5c5f0c6a265d2c29463feb28fb23d8

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_226cee52d6d8350bdf6e3c8dbc3d0620ec5c5f0c6a265d2c29463feb28fb23d8.exe
Size

1.3MB
MD5

836f1e0b35ad6745a2dca977ea5260e9
SHA1

3d34269b1f44d5472699d8c6ff4e1cb9668a266e
SHA256

226cee52d6d8350bdf6e3c8dbc3d0620ec5c5f0c6a265d2c29463feb28fb23d8
SHA512

2be74ac48c3b554aa11d3fcf95e4ba4963b7f5cfda0f3ecc60240ba78c777455c753fb6cc49eda625c8a501079b935bafdfe72745925d4af95c6a701601690f2
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2120	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2120	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000186f8-9.dat	dcrat
behavioral1/memory/1848-13-0x0000000000AD0000-0x0000000000BE0000-memory.dmp	dcrat
behavioral1/memory/1780-71-0x0000000000D00000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/memory/2912-167-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/2476-228-0x0000000000C80000-0x0000000000D90000-memory.dmp	dcrat
behavioral1/memory/2852-289-0x0000000001040000-0x0000000001150000-memory.dmp	dcrat
behavioral1/memory/1052-410-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1052	powershell.exe
1148	powershell.exe
1536	powershell.exe
1608	powershell.exe
888	powershell.exe
1524	powershell.exe
988	powershell.exe
1680	powershell.exe
2440	powershell.exe
676	powershell.exe
2076	powershell.exe
1088	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1848	DllCommonsvc.exe
1780	dwm.exe
2912	dwm.exe
2476	dwm.exe
2852	dwm.exe
2952	dwm.exe
1052	dwm.exe
1992	dwm.exe
2416	dwm.exe
2948	dwm.exe
1608	dwm.exe
2572	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2416	cmd.exe
2416	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\winlogon.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_226cee52d6d8350bdf6e3c8dbc3d0620ec5c5f0c6a265d2c29463feb28fb23d8.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2916	schtasks.exe
2604	schtasks.exe
2748	schtasks.exe
772	schtasks.exe
2212	schtasks.exe
1272	schtasks.exe
2108	schtasks.exe
2920	schtasks.exe
2088	schtasks.exe
2836	schtasks.exe
620	schtasks.exe
1636	schtasks.exe
536	schtasks.exe
2572	schtasks.exe
2896	schtasks.exe
2560	schtasks.exe
2876	schtasks.exe
1940	schtasks.exe
1132	schtasks.exe
1664	schtasks.exe
2096	schtasks.exe
2536	schtasks.exe
700	schtasks.exe
1928	schtasks.exe
680	schtasks.exe
1532	schtasks.exe
2988	schtasks.exe
1512	schtasks.exe
468	schtasks.exe
2984	schtasks.exe
1252	schtasks.exe
1964	schtasks.exe
916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1848	DllCommonsvc.exe
2076	powershell.exe
676	powershell.exe
1052	powershell.exe
1088	powershell.exe
888	powershell.exe
1536	powershell.exe
1148	powershell.exe
988	powershell.exe
2440	powershell.exe
1780	dwm.exe
1608	powershell.exe
1680	powershell.exe
1524	powershell.exe
2912	dwm.exe
2476	dwm.exe
2852	dwm.exe
2952	dwm.exe
1052	dwm.exe
1992	dwm.exe
2416	dwm.exe
2948	dwm.exe
1608	dwm.exe
2572	dwm.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	DllCommonsvc.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1780	dwm.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2912	dwm.exe
Token: SeDebugPrivilege	2476	dwm.exe
Token: SeDebugPrivilege	2852	dwm.exe
Token: SeDebugPrivilege	2952	dwm.exe
Token: SeDebugPrivilege	1052	dwm.exe
Token: SeDebugPrivilege	1992	dwm.exe
Token: SeDebugPrivilege	2416	dwm.exe
Token: SeDebugPrivilege	2948	dwm.exe
Token: SeDebugPrivilege	1608	dwm.exe
Token: SeDebugPrivilege	2572	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2344	2360	JaffaCakes118_226cee52d6d8350bdf6e3c8dbc3d0620ec5c5f0c6a265d2c29463feb28fb23d8.exe	31
PID 2360 wrote to memory of 2344	2360	JaffaCakes118_226cee52d6d8350bdf6e3c8dbc3d0620ec5c5f0c6a265d2c29463feb28fb23d8.exe	31
PID 2360 wrote to memory of 2344	2360	JaffaCakes118_226cee52d6d8350bdf6e3c8dbc3d0620ec5c5f0c6a265d2c29463feb28fb23d8.exe	31
PID 2360 wrote to memory of 2344	2360	JaffaCakes118_226cee52d6d8350bdf6e3c8dbc3d0620ec5c5f0c6a265d2c29463feb28fb23d8.exe	31
PID 2344 wrote to memory of 2416	2344	WScript.exe	32
PID 2344 wrote to memory of 2416	2344	WScript.exe	32
PID 2344 wrote to memory of 2416	2344	WScript.exe	32
PID 2344 wrote to memory of 2416	2344	WScript.exe	32
PID 2416 wrote to memory of 1848	2416	cmd.exe	34
PID 2416 wrote to memory of 1848	2416	cmd.exe	34
PID 2416 wrote to memory of 1848	2416	cmd.exe	34
PID 2416 wrote to memory of 1848	2416	cmd.exe	34
PID 1848 wrote to memory of 676	1848	DllCommonsvc.exe	69
PID 1848 wrote to memory of 676	1848	DllCommonsvc.exe	69
PID 1848 wrote to memory of 676	1848	DllCommonsvc.exe	69
PID 1848 wrote to memory of 888	1848	DllCommonsvc.exe	70
PID 1848 wrote to memory of 888	1848	DllCommonsvc.exe	70
PID 1848 wrote to memory of 888	1848	DllCommonsvc.exe	70
PID 1848 wrote to memory of 1608	1848	DllCommonsvc.exe	72
PID 1848 wrote to memory of 1608	1848	DllCommonsvc.exe	72
PID 1848 wrote to memory of 1608	1848	DllCommonsvc.exe	72
PID 1848 wrote to memory of 1536	1848	DllCommonsvc.exe	73
PID 1848 wrote to memory of 1536	1848	DllCommonsvc.exe	73
PID 1848 wrote to memory of 1536	1848	DllCommonsvc.exe	73
PID 1848 wrote to memory of 988	1848	DllCommonsvc.exe	74
PID 1848 wrote to memory of 988	1848	DllCommonsvc.exe	74
PID 1848 wrote to memory of 988	1848	DllCommonsvc.exe	74
PID 1848 wrote to memory of 2076	1848	DllCommonsvc.exe	75
PID 1848 wrote to memory of 2076	1848	DllCommonsvc.exe	75
PID 1848 wrote to memory of 2076	1848	DllCommonsvc.exe	75
PID 1848 wrote to memory of 1524	1848	DllCommonsvc.exe	76
PID 1848 wrote to memory of 1524	1848	DllCommonsvc.exe	76
PID 1848 wrote to memory of 1524	1848	DllCommonsvc.exe	76
PID 1848 wrote to memory of 2440	1848	DllCommonsvc.exe	78
PID 1848 wrote to memory of 2440	1848	DllCommonsvc.exe	78
PID 1848 wrote to memory of 2440	1848	DllCommonsvc.exe	78
PID 1848 wrote to memory of 1148	1848	DllCommonsvc.exe	80
PID 1848 wrote to memory of 1148	1848	DllCommonsvc.exe	80
PID 1848 wrote to memory of 1148	1848	DllCommonsvc.exe	80
PID 1848 wrote to memory of 1052	1848	DllCommonsvc.exe	81
PID 1848 wrote to memory of 1052	1848	DllCommonsvc.exe	81
PID 1848 wrote to memory of 1052	1848	DllCommonsvc.exe	81
PID 1848 wrote to memory of 1680	1848	DllCommonsvc.exe	83
PID 1848 wrote to memory of 1680	1848	DllCommonsvc.exe	83
PID 1848 wrote to memory of 1680	1848	DllCommonsvc.exe	83
PID 1848 wrote to memory of 1088	1848	DllCommonsvc.exe	84
PID 1848 wrote to memory of 1088	1848	DllCommonsvc.exe	84
PID 1848 wrote to memory of 1088	1848	DllCommonsvc.exe	84
PID 1848 wrote to memory of 1780	1848	DllCommonsvc.exe	91
PID 1848 wrote to memory of 1780	1848	DllCommonsvc.exe	91
PID 1848 wrote to memory of 1780	1848	DllCommonsvc.exe	91
PID 1780 wrote to memory of 2416	1780	dwm.exe	94
PID 1780 wrote to memory of 2416	1780	dwm.exe	94
PID 1780 wrote to memory of 2416	1780	dwm.exe	94
PID 2416 wrote to memory of 1912	2416	cmd.exe	96
PID 2416 wrote to memory of 1912	2416	cmd.exe	96
PID 2416 wrote to memory of 1912	2416	cmd.exe	96
PID 2416 wrote to memory of 2912	2416	cmd.exe	97
PID 2416 wrote to memory of 2912	2416	cmd.exe	97
PID 2416 wrote to memory of 2912	2416	cmd.exe	97
PID 2912 wrote to memory of 1976	2912	dwm.exe	98
PID 2912 wrote to memory of 1976	2912	dwm.exe	98
PID 2912 wrote to memory of 1976	2912	dwm.exe	98
PID 1976 wrote to memory of 2556	1976	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_226cee52d6d8350bdf6e3c8dbc3d0620ec5c5f0c6a265d2c29463feb28fb23d8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_226cee52d6d8350bdf6e3c8dbc3d0620ec5c5f0c6a265d2c29463feb28fb23d8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\it-IT\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1912
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2556
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat"
        10⤵
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1852
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat"
        12⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2416
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat"
        14⤵
        
        PID:1284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1768
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"
        16⤵
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2720
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"
        18⤵
        
        PID:944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1716
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat"
        20⤵
        
        PID:888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2372
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"
        22⤵
        
        PID:1568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2804
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"
        24⤵
        
        PID:3008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2140
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Downloads\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca2eb44e7c924d62a97440b32c9c01e2

SHA1
f1572e637b6b7505c6e719c339a29fd3851a5311

SHA256
e896bf71dc8acebcee8e5954a3f3232f097adef39005fe9aabbd0c0f1d87e36d

SHA512
eac51fae3955d36a5ea5369cbe8c571069397dd8d9d05d5af5b1d664bda31383114bcfd907030ce8a67c251444580cfa0fde620d3e06eaaa0e04e546392cdafd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cdba1ad2330a1a1a593d1e9d46f494a

SHA1
a71ff894ed968f060368d181739f0409d5ccbad1

SHA256
078c5cb846035cc7f7764cce93aaa7c0fc82cdba70b04dfe8f5fe566dfe119c4

SHA512
c4a591782fdfda0a0c9540a73416ab75240dacb7bcde52a391aa77434375de4e7479f315721e2a8f71a710ae23dc15f307ac73dbbfcc70dcb39073d0b896f970

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3545fa36524b81e05cc06ddb8fb2ac6

SHA1
9f8b8f25de28c2e7b63384b8d2af7d68a1fad1d9

SHA256
2233e77937597dc8454751578f54ba5075f7f3a149ab28aa556d4b0964ff3735

SHA512
b14f6cda92adfdbcc9985eed2ebeb29b7c9414888c62a1cbdb2dec65f9936d644eef096e5a6e12114589822b1fc9280b06e2f601e9bfa8356cfe5960f6530f48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e13547621136e304b26044be210d056

SHA1
e19137031c2ed3a01d0026926ce53adfb8a3663d

SHA256
69bd692b1285aa7f6032df572519efdf2ebb011d378c05e991e855b74aa8b2a1

SHA512
5e31872a8e9c86d32f863e0c491a23c2308472ea9fe6e1c36ed4456e156e52f47fdc574955d482d1b3cfbe62d14a3a8d2e3fd452a3502b68b1a456e7b1f3b112

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46178cca8d0d37af2eb8c409664e9d15

SHA1
76c62d4ad2fbfb978173322c960fd5d1cc86c594

SHA256
a9fe06c516476baf393a89962011b638014d6eed5672b84f0716d7c722cd32ed

SHA512
4577a4e76a59bcf403b6c67608f2f94ca7d34d390f356acd3ab7e919bf88cbbcb604fc867d6e474674503f1ef74f85829bb913d9e7a7b12f643719325ef2e060

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b083331314f3f1a158039d3a8f4cfd2

SHA1
1f562e029dd2af6a29a3758e2e29403d62c15712

SHA256
2350d93ecb135c7f9fdf14f45ad66c23791c13f7b97c2385020676d525769c8d

SHA512
202dc86732a122bb1152e7800b3f0d336983da173a998670ee714a14f6094fb1c1aeec2a831f3ad5efe5792a84733792b04d3c65da756ced513d5a9fe04cf319

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b5a39f0f615bc50a9afc0610d848a96

SHA1
a2e22bf451270cdfb12c2eb69f072e12b07db7bb

SHA256
2f73a4f2020421c187fe44007631ec4981bfc5b8a62c844cdcc6bea7364372c3

SHA512
a7c4ad65413b33271a0f44a775d9bfe7f874af2ca3d919d420538ae11f8b7f3fd6b91a6d92785f5efd5ac18a589175001ea009b0d0975473ad7c8413bf4c9a54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3346e23c8bf4c406769d273c72f0e940

SHA1
d9eb799471ef846e894b61a9ea5bda6aef801840

SHA256
c111bf3326d863f70552db4e298a0be000a73835929180a5f677b33fa9019aad

SHA512
714f4fdf9e6214c2c8741e64500ebd87db82734a2662cad51a21c3fdd2aefcb7100940156c7a929b0cadab65542b077dcde92a77409e30d58299315a693dd09e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed43c0ba05a62c1f5e22436bb4f65cf8

SHA1
9914d2a594013e9b0f3621c49f7625059ef59407

SHA256
2129c2c795fd06e5a0889b50004937e090e23509ee83e23e16164603cb822824

SHA512
0fd3a5822501e967b6f7d92cc45778a27aba5dfb62d58935ec1a19eefe1227468d52387434f3228f6061ff4b9d057bff5bf32ddaf72a22103f46ffdfa5f1ddb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat

Filesize
194B

MD5
4d028a768541c4286b7ee0f2dd724da7

SHA1
7e07e57f28139b7a3126d370b3882daf829ec413

SHA256
daeeeb1c6d09a27e75256775d6ac5a2b55e932703b0be7538f8ac562b19e32f6

SHA512
605c4f0f8131854b10e038e58a35ba271d4aa5ab3a1b06a74a09b42fbefc9012a87b6c46ec86f8c3bf678aa6c9c031c1f108fde371a2dd1f84aa62453de7e474

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFEAC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat

Filesize
194B

MD5
830241c3569f7cebbee0875331e042ae

SHA1
20d17c304aaeb9a7f9a7e2149908f0b16a0850db

SHA256
f8a29960f7dbb54cc02bfe8d54c1b27c9147283ccf08aff55dd72a979ef7f735

SHA512
6e899e4badf85907a10f3f3b55807178b4a828ac7ab214903a0c938d26b73c2b421dc3c9b74d700698480a795045144ea0e172e0fa2c2d404430a2904d7a142d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat

Filesize
194B

MD5
44fdc2a791c3f70d18093eae9aed8102

SHA1
34cd1faafc893a3f5f29a73ee6d6508712705d06

SHA256
174b6e72102e31cfef5f5555f8dee20b69007e3f1f25b09effd5984e7816f434

SHA512
8da8e39e2505340934bf6402a4c85d7e3c0fd56cd57afc813b69ffd2a05a497e6032f351b5bc5897efb5263d60d9e11a463807363ebabdf682c22f7e8326e8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat

Filesize
194B

MD5
f0593f22edd79b5d50ddffaf84575ac9

SHA1
51e4a1a2ffacb7289765d5ad64961d4e152ed960

SHA256
f3c66343548ff71e2844c342ba608aec3f2f257f5e44f40e55d95998f56d8311

SHA512
6b3455ff6674172db5257f6647220e846dc2d64befe4ab578d784eb99303e1797344d23411d17ef08fecd89d996cf3fab4a8672ee672c6c83eab01daf45036b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat

Filesize
194B

MD5
9c44477602a2955d5f0b05a14b9086d3

SHA1
99c70d739abd0306efa1dc6e1544459594174b06

SHA256
e72da845e4011fb57c70d8bf8b7c7a4c8c4182a60b1a3a490bb9d1fe3f2a6564

SHA512
cc3fcc8fb0513536e3354c5fc31ee3098310ce23e8bba38958156c811915b79558f6c06144df8f525dc883b1943a602e66b769a82942905ed0381e620f99e716

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat

Filesize
194B

MD5
13ec3c37d09e5e638271dce1ac79c6bd

SHA1
23ac76e68d541932cfa87582c180f497fb0e8a23

SHA256
ad9b84fcb487d6b843456a6d322ec958e091657a1fafba8380b1671323ee36f3

SHA512
88e20a34a46b2016f3206779989723c781bf7b5df8fbe295b554fd5369bf815c93c1b25be56f511d90fa1551e922863f568b83da314226b710879c65e2380e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFEBE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat

Filesize
194B

MD5
5552ebdbfb195c44ab5d6b19421b9944

SHA1
123b5f9ad09973c106a5f0ca077b3d37ccb781d2

SHA256
97d8fb1b8ce7bc8a0725398696935d9eac809e08a091951f19d73fc817bb69b9

SHA512
7520d0778511735d3535bcb7aa9f3f716dd12da7abba28f84e55544b3092753ea1e96b7fd996124408377cceb11702ec478e431c0bafc1f4f636cde92ab0c270

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat

Filesize
194B

MD5
8dfede30cee5bca61a1398cc0743a780

SHA1
47c7e4ac672395c38de1bbd4c232106ee13a5e2f

SHA256
cc00c0d6fb93960ab0b2e607e16f83bf6c1a1999f0a89b6d36ecb22c533acd0f

SHA512
673722acbe1e9f730e7dfb4f6d6f20f7407275ccf9b3f296be91811b71f636037c767cc4609f02957bfc763a6a4e0d00ac919091f8a72b8b971971881cab59e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat

Filesize
194B

MD5
342bd40396751d17545907e21dadf6a3

SHA1
d0dfc018f62370315c346ee4c6b8837583f6507d

SHA256
e3168b7a459c0e222503273f4030177d934ae1f0258532605b36062ef9dcc7d8

SHA512
bc32f9ff5851a2e772691622b6f56c48fc713fab488b2a5e9d4bd8d2ce2a776f48d886143477bfcde3346376fce2cf2897caa8aad854556315ea0f25fccd7cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat

Filesize
194B

MD5
745c21bae1879e45aa123ac8153417c9

SHA1
d63aaec33431b95ccaf156661c6fce8348185e6f

SHA256
990695979167e96ba9d66a4be854df701e0ebe70426149e88a52ab21763a0a52

SHA512
4969bec0cccd6e92a2ca5329c4eba32a6791045e45e5dd4c39e2c1b58cd6590ceb6244e02fd046ef469275f93e80d8f6bc8a722bf76fbe07fba30073b1b18e3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
27f30939be964947cf90218fb32e1e93

SHA1
40a01d59f8a926a20008fba89bb5369993f39948

SHA256
f87de8caf0e5defc4d1cf74ee996304427500d5f8932ed0b10c92b3ad64250f3

SHA512
ae8cee662b3f370f03add96857739d38931334bfe40843aab53d83b114bf42df833aaad0b97749eb60bf1994590b8e1bc65e34f0cf801ce337dcd6d6e99c86fa

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1052-410-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/1780-93-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1780-71-0x0000000000D00000-0x0000000000E10000-memory.dmp

Filesize
1.1MB

Download
memory/1848-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/1848-13-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

Filesize
1.1MB

Download
memory/1848-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1848-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/1848-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2076-61-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2076-56-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2476-229-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2476-228-0x0000000000C80000-0x0000000000D90000-memory.dmp

Filesize
1.1MB

Download
memory/2852-290-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2852-289-0x0000000001040000-0x0000000001150000-memory.dmp

Filesize
1.1MB

Download
memory/2912-168-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2912-167-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/2952-350-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download