dcrat | be014212c14629a90740ec2f58b0c4fc3a0be017fabe7afbe83755984df02225

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_be014212c14629a90740ec2f58b0c4fc3a0be017fabe7afbe83755984df02225.exe
Size

1.3MB
MD5

2b60dd47ff4e56191c4e0145178cdead
SHA1

02e53a66ad8c293898cce0711bd63d9b3b01365d
SHA256

be014212c14629a90740ec2f58b0c4fc3a0be017fabe7afbe83755984df02225
SHA512

32d7687a1f318cd5246d8a3d6f9f80409176ecf4236840a38bccf62a7c2ea8842169d9d5e9bd831ad65609b1d01290a7a5c198ab4424ed975180d25f7066eb54
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2720	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001747d-12.dat	dcrat
behavioral1/memory/2216-13-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/1856-117-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/1064-177-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat
behavioral1/memory/1756-298-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat
behavioral1/memory/3016-359-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/480-419-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat
behavioral1/memory/2808-538-0x00000000001B0000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/memory/2992-598-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
872	powershell.exe
2500	powershell.exe
2572	powershell.exe
1972	powershell.exe
1692	powershell.exe
3036	powershell.exe
2456	powershell.exe
2524	powershell.exe
2052	powershell.exe
2044	powershell.exe
3032	powershell.exe
1312	powershell.exe
2200	powershell.exe
2064	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2216	DllCommonsvc.exe
1856	dwm.exe
1064	dwm.exe
1932	dwm.exe
1756	dwm.exe
3016	dwm.exe
480	dwm.exe
2988	dwm.exe
2808	dwm.exe
2992	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2880	cmd.exe
2880	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\it-IT\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\it-IT\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\101b941d020240	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PLA\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_be014212c14629a90740ec2f58b0c4fc3a0be017fabe7afbe83755984df02225.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2300	schtasks.exe
1712	schtasks.exe
1644	schtasks.exe
904	schtasks.exe
1380	schtasks.exe
1744	schtasks.exe
2564	schtasks.exe
2208	schtasks.exe
780	schtasks.exe
580	schtasks.exe
908	schtasks.exe
2780	schtasks.exe
2640	schtasks.exe
2080	schtasks.exe
2108	schtasks.exe
2488	schtasks.exe
2024	schtasks.exe
2792	schtasks.exe
2772	schtasks.exe
2904	schtasks.exe
1632	schtasks.exe
1920	schtasks.exe
2220	schtasks.exe
2580	schtasks.exe
2600	schtasks.exe
2316	schtasks.exe
1064	schtasks.exe
2920	schtasks.exe
2796	schtasks.exe
596	schtasks.exe
1152	schtasks.exe
956	schtasks.exe
2620	schtasks.exe
2160	schtasks.exe
1948	schtasks.exe
2660	schtasks.exe
1760	schtasks.exe
3004	schtasks.exe
2340	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2216	DllCommonsvc.exe
2216	DllCommonsvc.exe
2216	DllCommonsvc.exe
2456	powershell.exe
2572	powershell.exe
2524	powershell.exe
3036	powershell.exe
2500	powershell.exe
1972	powershell.exe
2064	powershell.exe
2052	powershell.exe
2044	powershell.exe
1692	powershell.exe
872	powershell.exe
2200	powershell.exe
1312	powershell.exe
3032	powershell.exe
1856	dwm.exe
1064	dwm.exe
1932	dwm.exe
1756	dwm.exe
3016	dwm.exe
480	dwm.exe
2988	dwm.exe
2808	dwm.exe
2992	dwm.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	DllCommonsvc.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	1856	dwm.exe
Token: SeDebugPrivilege	1064	dwm.exe
Token: SeDebugPrivilege	1932	dwm.exe
Token: SeDebugPrivilege	1756	dwm.exe
Token: SeDebugPrivilege	3016	dwm.exe
Token: SeDebugPrivilege	480	dwm.exe
Token: SeDebugPrivilege	2988	dwm.exe
Token: SeDebugPrivilege	2808	dwm.exe
Token: SeDebugPrivilege	2992	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2352	2204	JaffaCakes118_be014212c14629a90740ec2f58b0c4fc3a0be017fabe7afbe83755984df02225.exe	30
PID 2204 wrote to memory of 2352	2204	JaffaCakes118_be014212c14629a90740ec2f58b0c4fc3a0be017fabe7afbe83755984df02225.exe	30
PID 2204 wrote to memory of 2352	2204	JaffaCakes118_be014212c14629a90740ec2f58b0c4fc3a0be017fabe7afbe83755984df02225.exe	30
PID 2204 wrote to memory of 2352	2204	JaffaCakes118_be014212c14629a90740ec2f58b0c4fc3a0be017fabe7afbe83755984df02225.exe	30
PID 2352 wrote to memory of 2880	2352	WScript.exe	31
PID 2352 wrote to memory of 2880	2352	WScript.exe	31
PID 2352 wrote to memory of 2880	2352	WScript.exe	31
PID 2352 wrote to memory of 2880	2352	WScript.exe	31
PID 2880 wrote to memory of 2216	2880	cmd.exe	33
PID 2880 wrote to memory of 2216	2880	cmd.exe	33
PID 2880 wrote to memory of 2216	2880	cmd.exe	33
PID 2880 wrote to memory of 2216	2880	cmd.exe	33
PID 2216 wrote to memory of 2052	2216	DllCommonsvc.exe	74
PID 2216 wrote to memory of 2052	2216	DllCommonsvc.exe	74
PID 2216 wrote to memory of 2052	2216	DllCommonsvc.exe	74
PID 2216 wrote to memory of 2456	2216	DllCommonsvc.exe	75
PID 2216 wrote to memory of 2456	2216	DllCommonsvc.exe	75
PID 2216 wrote to memory of 2456	2216	DllCommonsvc.exe	75
PID 2216 wrote to memory of 1692	2216	DllCommonsvc.exe	76
PID 2216 wrote to memory of 1692	2216	DllCommonsvc.exe	76
PID 2216 wrote to memory of 1692	2216	DllCommonsvc.exe	76
PID 2216 wrote to memory of 2200	2216	DllCommonsvc.exe	77
PID 2216 wrote to memory of 2200	2216	DllCommonsvc.exe	77
PID 2216 wrote to memory of 2200	2216	DllCommonsvc.exe	77
PID 2216 wrote to memory of 2572	2216	DllCommonsvc.exe	78
PID 2216 wrote to memory of 2572	2216	DllCommonsvc.exe	78
PID 2216 wrote to memory of 2572	2216	DllCommonsvc.exe	78
PID 2216 wrote to memory of 1312	2216	DllCommonsvc.exe	79
PID 2216 wrote to memory of 1312	2216	DllCommonsvc.exe	79
PID 2216 wrote to memory of 1312	2216	DllCommonsvc.exe	79
PID 2216 wrote to memory of 3032	2216	DllCommonsvc.exe	82
PID 2216 wrote to memory of 3032	2216	DllCommonsvc.exe	82
PID 2216 wrote to memory of 3032	2216	DllCommonsvc.exe	82
PID 2216 wrote to memory of 3036	2216	DllCommonsvc.exe	83
PID 2216 wrote to memory of 3036	2216	DllCommonsvc.exe	83
PID 2216 wrote to memory of 3036	2216	DllCommonsvc.exe	83
PID 2216 wrote to memory of 2500	2216	DllCommonsvc.exe	84
PID 2216 wrote to memory of 2500	2216	DllCommonsvc.exe	84
PID 2216 wrote to memory of 2500	2216	DllCommonsvc.exe	84
PID 2216 wrote to memory of 872	2216	DllCommonsvc.exe	86
PID 2216 wrote to memory of 872	2216	DllCommonsvc.exe	86
PID 2216 wrote to memory of 872	2216	DllCommonsvc.exe	86
PID 2216 wrote to memory of 2044	2216	DllCommonsvc.exe	87
PID 2216 wrote to memory of 2044	2216	DllCommonsvc.exe	87
PID 2216 wrote to memory of 2044	2216	DllCommonsvc.exe	87
PID 2216 wrote to memory of 2064	2216	DllCommonsvc.exe	89
PID 2216 wrote to memory of 2064	2216	DllCommonsvc.exe	89
PID 2216 wrote to memory of 2064	2216	DllCommonsvc.exe	89
PID 2216 wrote to memory of 2524	2216	DllCommonsvc.exe	90
PID 2216 wrote to memory of 2524	2216	DllCommonsvc.exe	90
PID 2216 wrote to memory of 2524	2216	DllCommonsvc.exe	90
PID 2216 wrote to memory of 1972	2216	DllCommonsvc.exe	91
PID 2216 wrote to memory of 1972	2216	DllCommonsvc.exe	91
PID 2216 wrote to memory of 1972	2216	DllCommonsvc.exe	91
PID 2216 wrote to memory of 2100	2216	DllCommonsvc.exe	102
PID 2216 wrote to memory of 2100	2216	DllCommonsvc.exe	102
PID 2216 wrote to memory of 2100	2216	DllCommonsvc.exe	102
PID 2100 wrote to memory of 2640	2100	cmd.exe	104
PID 2100 wrote to memory of 2640	2100	cmd.exe	104
PID 2100 wrote to memory of 2640	2100	cmd.exe	104
PID 2100 wrote to memory of 1856	2100	cmd.exe	105
PID 2100 wrote to memory of 1856	2100	cmd.exe	105
PID 2100 wrote to memory of 1856	2100	cmd.exe	105
PID 1856 wrote to memory of 1044	1856	dwm.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_be014212c14629a90740ec2f58b0c4fc3a0be017fabe7afbe83755984df02225.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_be014212c14629a90740ec2f58b0c4fc3a0be017fabe7afbe83755984df02225.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\it-IT\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6WxvfBmpdS.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2100
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2640
      - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"
        7⤵
        
        PID:1044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:336
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"
        9⤵
        
        PID:352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2936
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat"
        11⤵
        
        PID:1556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2408
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat"
        13⤵
        
        PID:2704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1956
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"
        15⤵
        
        PID:1864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2256
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat"
        17⤵
        
        PID:1932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2508
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat"
        19⤵
        
        PID:1744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1756
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat"
        21⤵
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1804
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PLA\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\it-IT\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Templates\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
192c783a9b1bbc34472174fdc380704b

SHA1
2646ea319d5c32ee87de86ea691fe20eee97d85f

SHA256
2d26fd453dab82632fa254a00aa88fa0ca95fc36db89b457cc833f2fd57bdc71

SHA512
f480167708cfa4a229559cf91ea2bd052113347d59435857163c6ae2f5136e047e72c0524e339bb5d40b794c6a8668d501f5032ae40c713910ed2b6557d1dc30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64c1a53fdf6c6156057e8c422487ffc7

SHA1
42cd95181c5f51f2f1becbdfc57c6461429331f7

SHA256
878e44abc70657a17aed3d49f40c0e3cd5353ec5bde73611f89fee50fa304d34

SHA512
0b69772dd491e013ebeb3827a6e946a9176846e190270a59715c53993ed41d09a718c5dbd0e912c1d83d7fff8e92ec82e1e26c9d6d251d16dababa16fd3f8f38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06be6f86c3b69d52488e2777355dbcd2

SHA1
81c01527d86ac0f037a25f4d0ea203bb36f11d7e

SHA256
c377900b1bd86cef0621e1c14b8678663ed9c4f999b5655bb8087dc43aebfeef

SHA512
04a84faba4d465b419c183acc54c4a700433f7eae0b73d63ea130611e31c64ab132f57a949b7c601a9fbf3cf98443f5edbfba7a2140ce42ffd5d891bf7f622b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fde6b3e37d5d16103c68b87b6e96d9be

SHA1
bf8d12bca148da6c744f72c854295b9d3eb5a790

SHA256
5505f45607c4739d400038a8fda4211833efc7555cdf43348a8613d9907e0a6e

SHA512
976d6b8e53ebde9f1e594e99ba325e095a87ce1b9922d32f5986d85e0192b5ef3cd3d96dd04d8133d6f466652e245555ea7b6f0c90fa29defb295fc1a8023a57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57bdce50b0c168db0bfa2906ff925041

SHA1
a371ca7e6333816fb8d1d46b7f86f79038eb4390

SHA256
5e40f3ffc24f0954cee8a6b38db6badb9045c6bfbb5879638e5ac0a6283798c5

SHA512
f234d7e16c9f09c18891c3948ac4347b0663022ca9b44b929169ef137ff698a194938e172ed5a34595c0b88f658bb92d7d67a6ec14665d33ff19fa54e2eb2546

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8316f2b56cedab2dbdd3881bebcc1d8

SHA1
862b561cac1b3a090b5e1ab93aa8c0df824bcac7

SHA256
b7543edbbbbbb02989b3d8404e5f1b2154e612e86d5e9b080b7b79022e06a6e4

SHA512
1f941acb5bae35c403555afa431dba4d6cd7fcbe558b5f7bc2f024fe5d59a901b71becc262db0f2d339aba84cea854a67c009406407f27ecce1f768af5c075a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2dc6be3cb9bc98ac1a05c5f501fb2c1

SHA1
6769d40c68162c9950568fc3b86e8de1c1b08db7

SHA256
d1dcd0a6e22a36bb76c0645f342754fab00e78174e3bdfadd7d931a12a1d93a9

SHA512
ad007023c13a1088cb3fb50d7831d9dd87a5daecc4cabc5436d174b15de7414d00cda587c11ed9548e5b5157325c7f3c2b44ac7fa0d791416f86a1e2e1e98c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat

Filesize
235B

MD5
ac5f0bb02396d391323643f575fea95c

SHA1
da1f0e663525fc6c11310c173592be0796326f75

SHA256
47948b816cc14e4e6eb55052d3668886427ed8d38e4e8083456327cfcc1e3765

SHA512
8d2ca51be4ad5a101d66a0cd48c2265791431a32646ab86b653c90bcf70ca8d82a30597b586e8897ba24fd3bf76e176786b15f4d85319a372ddecb6df5377e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\6WxvfBmpdS.bat

Filesize
235B

MD5
f39bc1880d8653a5a786933b4f94533f

SHA1
7b850119d21f1804bdafb53cdf9d767d513e2081

SHA256
4fa6dd75afeb93038e42a7d21c1bdbceea4e6d1a40a4471b4cb9bb0faa72690e

SHA512
6bf2d49586eca90470e8a0c5b69c9a68a33db6372ed2946a2a832bc6a748d31399624188db4a72f868e5d29d2643b56d39b4f66895eb27cd6a8485b6052ae88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCDBD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat

Filesize
235B

MD5
e47319f967c5e6679e54d313e48790c4

SHA1
c9a42c9a32ad716636273d11419d75b2543ead81

SHA256
9803a7597156f3a7950e5b8fb1ea553de74fbbf2cecf914a98d9557edf4853e5

SHA512
1f81c172a84adc20dab27c5b6b51394c04bcbd7ad8dc872eb3f1c382589b4c49d4b87f2cce27f6b924b93ed6701f3a688f0c196450ad1ece82bd452eb3ee948f

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat

Filesize
235B

MD5
5f2276032dc54a4b7669973cda3dd0ee

SHA1
5d047afd08ca062ba4dd90abd53db5008692a84b

SHA256
bea51010f25955180c8feac3f511e02aae117f99b806137231a489803497a195

SHA512
603665c0e86716d5fa54f48ca5b52f14797080b2a3f9514739fb8920ff907dd3dfede7396ca43c803f9d6a9728e9085db6b7d083cc5abc1bacf3198f77fea01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat

Filesize
235B

MD5
d6d27b5ddd29700662ded7ff63f6d236

SHA1
cbcc4d9df30f1cceb112d3687a1849fbb940bc7f

SHA256
ecfce22bc520a917cd8597e029934d6c861e5d7a29815c0d5c64ec62c99c9276

SHA512
ce58e96736a44d6e76d64099c7e3cf0e734470e0020db63c9d716d6758be117a0c4cc142898b6d7a92c0155cb0aec8bd0bce9299b5b6bdc882239a72892e2e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCDDF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat

Filesize
235B

MD5
ed007457bdb708a626a5803cd9c86b14

SHA1
8e3d6e5e9669d60dcfb17f4f7990fc76500b92ec

SHA256
1f3b4affab88735ce800a57bc67f16511a6fe80dac3c914a143327c71273a057

SHA512
dc60675c7231c645c5e28460a0bfdb1b06890951d7ea9a94c588ef54ef0b9025b95e24ff84d34de640431a60f19bdcc0637ee489ef455be24f6566801e4010a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat

Filesize
235B

MD5
122340adb2cb10c5ac9f4fe45c8c1cc5

SHA1
e5c9e8c9eed14c8770072ebd8d0ecb4a238ef8a5

SHA256
95107e44eb82f98baa415b1e049ac2cbd63acbbf23ae8e420052949d7fb862de

SHA512
c98dbce19e923045bc8a39d79a435a8e94d96dc99164dc517e6d9d1b7362c147061fffaab5fa3d36322a8878a8b251c9b22837cad079ab6359e7b247ab66c550

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat

Filesize
235B

MD5
00e9c98731a763951302fd4d3dc57031

SHA1
a56bc4d932f3dbda5938396a1bbd557080aa09e4

SHA256
5f61bf5de73d9797ecb233efed049231852a1abad1b9de96dc437472f13b44c1

SHA512
ebcef179c8bdf014faef3c6d1bb7913ab708dd8c27e046ca05520ac52cb5efd7b4036ddb3b418c5a35e75bcbf84b36072290256131924190cee1429e22936332

Download Submit
C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat

Filesize
235B

MD5
3f364b68d8435175c592a3260b82bd53

SHA1
13c9f0c6eb98c50461776ba49493e8fe9c3d86e0

SHA256
fbf9bb9caa17207b2617252a5935698c4a970db8903f5c1aaed2161428a7f9e3

SHA512
f596035d57d27e4e803a945d286098c09d4e434dd6a3d478cf65b41a6f5316a4e63fbf21fe8b69addab859b159f2bf15689344d8baa906f5433afd57404cf99f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0566b5cb860f7929a0208d17cd615648

SHA1
e7f0bf730fb6a7fbf66068ccc0b78724b773a0f2

SHA256
44f2cca8da1f22397869911f3793227b62fd817d222752ccaa288f85cb9a3a12

SHA512
79e0900d04b7f78c5090fb74172239a275a75509d6e6e45d3bb2fb040fc64a45c06381de4dc5ec41b2d107495df0646617a287d914557ea7f84aae8605cfd494

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/480-419-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/1064-178-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/1064-177-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/1756-298-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/1756-299-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1856-117-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/1856-118-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/1932-238-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2216-17-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2216-16-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/2216-15-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2216-14-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2216-13-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/2456-113-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2456-114-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2808-538-0x00000000001B0000-0x00000000002C0000-memory.dmp

Filesize
1.1MB

Download
memory/2992-598-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/2992-599-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/3016-359-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download