dcrat | 7d73087996372cc6fe16ece48bef53b3b4c58cf1a543a0de2c058f94f2ab61ba

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7d73087996372cc6fe16ece48bef53b3b4c58cf1a543a0de2c058f94f2ab61ba.exe
Size

1.3MB
MD5

c4e62db3297a6040969f2003a726acd0
SHA1

bbbcb59741c3f7323f77db16330ba6dbf56624c0
SHA256

7d73087996372cc6fe16ece48bef53b3b4c58cf1a543a0de2c058f94f2ab61ba
SHA512

d6f47f37346c8fa545ce30c677c63ce5e78d91a402cb86d20fc608c84c20ae980474091d655ca83a5a1b3886d6568850520a97d284530a221a871bdca104ccb6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2684	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016edc-9.dat	dcrat
behavioral1/memory/1820-13-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/memory/1992-112-0x0000000000C30000-0x0000000000D40000-memory.dmp	dcrat
behavioral1/memory/1900-172-0x0000000001170000-0x0000000001280000-memory.dmp	dcrat
behavioral1/memory/1252-352-0x00000000011B0000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/2604-471-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/2152-531-0x0000000000CE0000-0x0000000000DF0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1996	powershell.exe
1204	powershell.exe
1320	powershell.exe
2068	powershell.exe
1624	powershell.exe
320	powershell.exe
2444	powershell.exe
1536	powershell.exe
2012	powershell.exe
2740	powershell.exe
2500	powershell.exe
1164	powershell.exe
2440	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1820	DllCommonsvc.exe
1992	wininit.exe
1900	wininit.exe
1872	wininit.exe
2104	wininit.exe
1252	wininit.exe
2852	wininit.exe
2604	wininit.exe
2152	wininit.exe
2908	wininit.exe
3004	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2736	cmd.exe
2736	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
9	raw.githubusercontent.com
26	raw.githubusercontent.com
13	raw.githubusercontent.com
17	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\fr-FR\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\fr-FR\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\42af1c969fbb7b	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7d73087996372cc6fe16ece48bef53b3b4c58cf1a543a0de2c058f94f2ab61ba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2896	schtasks.exe
1252	schtasks.exe
2364	schtasks.exe
1496	schtasks.exe
1132	schtasks.exe
780	schtasks.exe
2144	schtasks.exe
1796	schtasks.exe
2064	schtasks.exe
1972	schtasks.exe
788	schtasks.exe
852	schtasks.exe
3060	schtasks.exe
2924	schtasks.exe
1776	schtasks.exe
1088	schtasks.exe
948	schtasks.exe
944	schtasks.exe
2424	schtasks.exe
2628	schtasks.exe
1708	schtasks.exe
2580	schtasks.exe
2796	schtasks.exe
1552	schtasks.exe
1932	schtasks.exe
2724	schtasks.exe
2244	schtasks.exe
548	schtasks.exe
3052	schtasks.exe
896	schtasks.exe
2100	schtasks.exe
2548	schtasks.exe
1844	schtasks.exe
1720	schtasks.exe
2104	schtasks.exe
2576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1820	DllCommonsvc.exe
1820	DllCommonsvc.exe
1820	DllCommonsvc.exe
1820	DllCommonsvc.exe
1820	DllCommonsvc.exe
1320	powershell.exe
1204	powershell.exe
2012	powershell.exe
320	powershell.exe
2444	powershell.exe
2740	powershell.exe
2500	powershell.exe
2068	powershell.exe
1536	powershell.exe
1624	powershell.exe
2440	powershell.exe
1996	powershell.exe
1164	powershell.exe
1992	wininit.exe
1900	wininit.exe
1872	wininit.exe
2104	wininit.exe
1252	wininit.exe
2852	wininit.exe
2604	wininit.exe
2152	wininit.exe
2908	wininit.exe
3004	wininit.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	DllCommonsvc.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1992	wininit.exe
Token: SeDebugPrivilege	1900	wininit.exe
Token: SeDebugPrivilege	1872	wininit.exe
Token: SeDebugPrivilege	2104	wininit.exe
Token: SeDebugPrivilege	1252	wininit.exe
Token: SeDebugPrivilege	2852	wininit.exe
Token: SeDebugPrivilege	2604	wininit.exe
Token: SeDebugPrivilege	2152	wininit.exe
Token: SeDebugPrivilege	2908	wininit.exe
Token: SeDebugPrivilege	3004	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2356	2848	JaffaCakes118_7d73087996372cc6fe16ece48bef53b3b4c58cf1a543a0de2c058f94f2ab61ba.exe	31
PID 2848 wrote to memory of 2356	2848	JaffaCakes118_7d73087996372cc6fe16ece48bef53b3b4c58cf1a543a0de2c058f94f2ab61ba.exe	31
PID 2848 wrote to memory of 2356	2848	JaffaCakes118_7d73087996372cc6fe16ece48bef53b3b4c58cf1a543a0de2c058f94f2ab61ba.exe	31
PID 2848 wrote to memory of 2356	2848	JaffaCakes118_7d73087996372cc6fe16ece48bef53b3b4c58cf1a543a0de2c058f94f2ab61ba.exe	31
PID 2356 wrote to memory of 2736	2356	WScript.exe	32
PID 2356 wrote to memory of 2736	2356	WScript.exe	32
PID 2356 wrote to memory of 2736	2356	WScript.exe	32
PID 2356 wrote to memory of 2736	2356	WScript.exe	32
PID 2736 wrote to memory of 1820	2736	cmd.exe	34
PID 2736 wrote to memory of 1820	2736	cmd.exe	34
PID 2736 wrote to memory of 1820	2736	cmd.exe	34
PID 2736 wrote to memory of 1820	2736	cmd.exe	34
PID 1820 wrote to memory of 2012	1820	DllCommonsvc.exe	72
PID 1820 wrote to memory of 2012	1820	DllCommonsvc.exe	72
PID 1820 wrote to memory of 2012	1820	DllCommonsvc.exe	72
PID 1820 wrote to memory of 2440	1820	DllCommonsvc.exe	74
PID 1820 wrote to memory of 2440	1820	DllCommonsvc.exe	74
PID 1820 wrote to memory of 2440	1820	DllCommonsvc.exe	74
PID 1820 wrote to memory of 1536	1820	DllCommonsvc.exe	75
PID 1820 wrote to memory of 1536	1820	DllCommonsvc.exe	75
PID 1820 wrote to memory of 1536	1820	DllCommonsvc.exe	75
PID 1820 wrote to memory of 2740	1820	DllCommonsvc.exe	76
PID 1820 wrote to memory of 2740	1820	DllCommonsvc.exe	76
PID 1820 wrote to memory of 2740	1820	DllCommonsvc.exe	76
PID 1820 wrote to memory of 1320	1820	DllCommonsvc.exe	77
PID 1820 wrote to memory of 1320	1820	DllCommonsvc.exe	77
PID 1820 wrote to memory of 1320	1820	DllCommonsvc.exe	77
PID 1820 wrote to memory of 1996	1820	DllCommonsvc.exe	78
PID 1820 wrote to memory of 1996	1820	DllCommonsvc.exe	78
PID 1820 wrote to memory of 1996	1820	DllCommonsvc.exe	78
PID 1820 wrote to memory of 1624	1820	DllCommonsvc.exe	80
PID 1820 wrote to memory of 1624	1820	DllCommonsvc.exe	80
PID 1820 wrote to memory of 1624	1820	DllCommonsvc.exe	80
PID 1820 wrote to memory of 1164	1820	DllCommonsvc.exe	82
PID 1820 wrote to memory of 1164	1820	DllCommonsvc.exe	82
PID 1820 wrote to memory of 1164	1820	DllCommonsvc.exe	82
PID 1820 wrote to memory of 2500	1820	DllCommonsvc.exe	83
PID 1820 wrote to memory of 2500	1820	DllCommonsvc.exe	83
PID 1820 wrote to memory of 2500	1820	DllCommonsvc.exe	83
PID 1820 wrote to memory of 1204	1820	DllCommonsvc.exe	85
PID 1820 wrote to memory of 1204	1820	DllCommonsvc.exe	85
PID 1820 wrote to memory of 1204	1820	DllCommonsvc.exe	85
PID 1820 wrote to memory of 320	1820	DllCommonsvc.exe	86
PID 1820 wrote to memory of 320	1820	DllCommonsvc.exe	86
PID 1820 wrote to memory of 320	1820	DllCommonsvc.exe	86
PID 1820 wrote to memory of 2444	1820	DllCommonsvc.exe	89
PID 1820 wrote to memory of 2444	1820	DllCommonsvc.exe	89
PID 1820 wrote to memory of 2444	1820	DllCommonsvc.exe	89
PID 1820 wrote to memory of 2068	1820	DllCommonsvc.exe	90
PID 1820 wrote to memory of 2068	1820	DllCommonsvc.exe	90
PID 1820 wrote to memory of 2068	1820	DllCommonsvc.exe	90
PID 1820 wrote to memory of 2036	1820	DllCommonsvc.exe	98
PID 1820 wrote to memory of 2036	1820	DllCommonsvc.exe	98
PID 1820 wrote to memory of 2036	1820	DllCommonsvc.exe	98
PID 2036 wrote to memory of 1852	2036	cmd.exe	100
PID 2036 wrote to memory of 1852	2036	cmd.exe	100
PID 2036 wrote to memory of 1852	2036	cmd.exe	100
PID 2036 wrote to memory of 1992	2036	cmd.exe	101
PID 2036 wrote to memory of 1992	2036	cmd.exe	101
PID 2036 wrote to memory of 1992	2036	cmd.exe	101
PID 1992 wrote to memory of 2488	1992	wininit.exe	102
PID 1992 wrote to memory of 2488	1992	wininit.exe	102
PID 1992 wrote to memory of 2488	1992	wininit.exe	102
PID 2488 wrote to memory of 2080	2488	cmd.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d73087996372cc6fe16ece48bef53b3b4c58cf1a543a0de2c058f94f2ab61ba.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d73087996372cc6fe16ece48bef53b3b4c58cf1a543a0de2c058f94f2ab61ba.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QB4qUVXkqU.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1852
      - C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2080
        
        C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat"
        9⤵
        
        PID:2752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2756
        
        C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
        11⤵
        
        PID:2660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2924
        
        C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"
        13⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1616
        
        C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat"
        15⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2948
        
        C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat"
        17⤵
        
        PID:2092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:664
        
        C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2RP5SY0RjS.bat"
        19⤵
        
        PID:1792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2232
        
        C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat"
        21⤵
        
        PID:1224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3044
        
        C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8zQYTmmGlF.bat"
        23⤵
        
        PID:2860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3040
        
        C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"
        25⤵
        
        PID:1596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\fr-FR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Music\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b05987a682e98e35a934eb5db3be8d53

SHA1
cc8b208a22f826a0d52363f5fe86da16caa183db

SHA256
13a66522964538732b722677e52a3361e3bdfb50da4da64a2fcc6a5ec68285d8

SHA512
cd51bb6174d890cea90abf088681f9a5fce6ac1ba1c1da17a33c13490fdb550f8e45ac34d86b350dadcf3b71513c1c2b932f4fa7056a4428c7549fd2f9e65703

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29e7056f55b8421c75af77747a3b7cb0

SHA1
c5981b04fabe541faf54829e4bb0847ef045a872

SHA256
7ad3add0828e530e96e0abbcd58427bd0a96c221407fa70f559fe28f7aa3d0c2

SHA512
20e3476525c48234b17ddef6c19f2d89eb11f263db2a4fb66f8e2540a803fbe1a329da1312f1f1cceff30e0d640f6c7d4b4bcdaa03e02b496357e1d06a8e1e54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
856a20c15a23fdb898ff44f96f9a82a5

SHA1
bcd14c54c1db53a5eb045ed63278210c998966ef

SHA256
1abd3a74951c3d2e65bd5dc90caa9bb7b28c65254641e6e7b2b9fe92966b7ca1

SHA512
9ff34444bea8dedad5b87c33c864d7b15d9d209f3fb74753bbe6e683012954f590eabd21eeea145c81dcc897c67f2893be3f99e0aea83d15437e57b9d5fb7440

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a693b56b8c053caeb587e41ab1b573b7

SHA1
c896656f4846854b6a59a4dd3a4b6eeb024f8546

SHA256
b32f306408dae1b907326c396175d41c13fa6380a0a8001fd4dbe4cff029663b

SHA512
6613a0ef8ab20ccbf98cf88c115d809c26a22f35cdca9dccee1e589968cebb00de527f569c0e5f2549752d6decff8393c5c70511e62a44d188d944a7edde62aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b760beb03979519cb0a9563509879f69

SHA1
02f4e3ba3143b230c0efb3ed8cddec738a33934c

SHA256
9ea8241d0eee5d333a1ec72876da0c2e76f0ff49a062c1263e5f3d3b07e98164

SHA512
4b09e594a4caa575272509d74d3b07cd09f585650ad4029e50025284a012094e645156d0dca39ae3f5e3bba4214fbb14dbe248ae32162ae083c481e05a5b01af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77b34cb7520da13ab633efd5a42ba7ca

SHA1
b0e70b17424b2f4589eef796659c4214db3baeb4

SHA256
ff222f511287e68da9907cfafeb11732db378a45c7e1ce506342f4b3587c1ff4

SHA512
aa981e2e0ecf77e2f5d6d698572fbf5af9d66ee3e85ee93ecfdba6d14371902ee0539e39d965d51162854124940ce08390fb12c775bf910fc0f37611f5fb8282

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0fe5706b4a1dfb2fcfbce57b05fab55

SHA1
2a30ba8fd0d86855ffddaa1a2c9cba86fbe7a20f

SHA256
7d646698e70e38b432afd5ceef594c996cd803a79fa998a367b99ab7b23701a9

SHA512
7108bb9defc4e36fc7fc23481110b31d195185b44c9f516daaa98e3fe1c23ae752b55fae655c18df58f3fd24f10333c9412921789a1973481ee346a666ad7261

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16950d6c4497a066e2c0917db3152f21

SHA1
39b233379744fad83e343046e8ed8890eba02f5f

SHA256
9939f1f5ec27f7a0a3b4f66e997038e964b3ab50d7dc80c7d59dacd5facc2c76

SHA512
8e44e753658c459ed0bc735cee12666e54f4b9e69f4e5b9de8828fc59e5e29616e0a74a76915362e459b63a7d384b985f4a24c5519cf65896a6a0a795c4f10c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55012ce01701eed685be4bcfdc8e1ae5

SHA1
600667cabbc39e3987ca115f884081a7ebb27467

SHA256
9db3e4e54e9a930c87205bae98481befd24b488bc4121b3998891f840b641095

SHA512
04ddecdb3d6c415afb82a687334084d2b92cf7df2997d35091d50f3f365c3f224d26ec240644be31ee69a3f57563248ebed852e57d4869c24aae092189c421b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat

Filesize
222B

MD5
b206ffd885239706e2344c18487592fd

SHA1
33aab77bd71c5c6faa3f6c71c22be542406e3a42

SHA256
b8914b227dc78e552402b916f8d1ac13d8a545504baaf8e19e912824487cab58

SHA512
19ffa45bac7257c0d0983369a99f1d567cf5a8e911394e616fb83e426a892d43e377272bde4cfa0a080be52a68bb72891a665f438e47aabac24c11c771206cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\2RP5SY0RjS.bat

Filesize
222B

MD5
9bfdcc17e7bd47c3369ea4388994ad6f

SHA1
0e3882fd11df3e858a10ae32f60d5a69df7cd9a6

SHA256
15b801f570a4a338c1eb738b2ff684f7179f1478c2b399c9d9ec853474c0e675

SHA512
a56848626c53de37b94c458ecbc74c5781dfcad0d9facb8833abcc788b10e9efbb9d1b86ed13ac3399a2c2d2ff98dcbad4be2d7833a05b741341892845ef73b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8zQYTmmGlF.bat

Filesize
222B

MD5
9d31c2a11b894187d56c74b8ede14b2a

SHA1
5e0b0dce43c89936e9c3af2afd469e080c3d6b39

SHA256
aa8d1053caa041cc74fc0ea12b936526a802a3d61e3881870b7f099d83e4ec18

SHA512
7158e35532b767e5978473537863c75c8e257c362c802dc91313b5778e8070d16bcc4087a4407c13fd05ff94296f0713458768945d06d29d7c6d4905c017a48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2E82.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QB4qUVXkqU.bat

Filesize
222B

MD5
1ab2ec8f17bba270e8ebfd6717af0994

SHA1
b5bd7bc0dec0e56ff3d7501b4bba77fb7267b07d

SHA256
b5119e3755c9d91810bd3ce8f21ff9905d3b0e1bc4ef62699bdad725a41a467e

SHA512
d735b7044b1d9b73ef530d06b74ede3b2a49316e370fcccfcd64edc95facd5757167f6bf982590e7815aebeb59422d8ba161485c3d43e49fda5f8e0bc0676ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2EA4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat

Filesize
222B

MD5
7aaa235fdb8506348e5cccef608f9de8

SHA1
7e04edac94cba1d9b91600615148ba1814983089

SHA256
91165aaf2ddb245046ce155040b0d7c11e434ec380d71d599000a198520564b1

SHA512
979c4925ceb8668fb9c348e98ffc8894f3b7f2b325d7d6efeaa074a3b8c770819fcdf3a4f6bcac9a19937fe19409a6af8c4538c1ca77229f3112f6ca3fcd93e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat

Filesize
222B

MD5
40e3aa136b53d9a34601b31446099796

SHA1
001ad855a680a77d07a7c20fe5c8450af1d38b0e

SHA256
ccaef40aa59975b119ccf86a48c7afcba17da4f9be9cef77ec0002d122fa53e1

SHA512
863790d102ae1d14003ab655392dfc2fc855cf79a2d0501413ab07911da64290d1e2f2a765ac1710fae3acca46316c74b25199fcc7a8b25cda0001e6fc51131b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat

Filesize
222B

MD5
cc0ce36627d95e2054f065bcbbc4f06a

SHA1
a8e3f866c9708ccd143e5a6500c57b48f287fef9

SHA256
9b9a95dcf60cc448dee91cf9bc58a07682e8f92589a34007a23f4ddb8f527a57

SHA512
1776c61dc45ccebf512995f002374e005e908cb6b133b2f2ee65b81c2bc3fe4bbb4d6fbcc82945711462518dee4d58f60cdd9106dc38026dd942aa2edf39a0bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat

Filesize
222B

MD5
6470ca5031b61101be626d58fcd13594

SHA1
b6b9279ad34fedcdad0677ca6e3c106e3d4ea357

SHA256
be3af15f2f22baad08b91dc8c2a25cbe51013d69f2ad8cc1b50f397db25ba78a

SHA512
18fe38c22730176642bfe9067d9d673ee1bb46b67911da1c0ad063272f0addfa60c9559206add942383daccf477e2d6ce7fd6237ce759be4c1d7e6e2455ea549

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat

Filesize
222B

MD5
48df95748f52ea6595aded7ba73065b1

SHA1
a0f3a62a0a7f35d86842b0827a0006ec4afe39d8

SHA256
414d0f17aa85cc8fd1c573a8c99e21f036f24875efe0ae10bb74db730aee5db3

SHA512
5cc66096c926a03156c6b2ca34a5652dd8b1c261919c9d2c606fcca2c72031adc0917a54adc37d27b6ed0be1c80a8cddfb7b1f473b9e5b15b380b7d9effec670

Download Submit
C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat

Filesize
222B

MD5
ab2eee673ed66f2f3b83edd06f4dacb7

SHA1
c175b3524fb870201a4057cb6e723c988db40ada

SHA256
93da1e3a163dbc93d5c86a2295b3fd18046b115a04d43c2051da2f4c8ad2702e

SHA512
5e31737d5d740c3ce5c2345c893d3bc70a68e688abfe751648a9f065b644f4787ffc77c68fa7b939c9d6c9ac9ca0be7f02f7a9975f77bd9270ac063020e473b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat

Filesize
222B

MD5
a4aa9dee20a48b984df2685c85d5e65a

SHA1
05b549f0286e49d2b04ad7deecde7848536ce6ac

SHA256
61870db98dee138299c6f07e038921338e2029e7874d54820bdce4f9eeb4f6f7

SHA512
7cd3a930a67ff790bb833959cc831f6fc2079dce3c26d6f2549d739239748a06a6eec7be1a4a4bd73d36f9a6abaa63fcb98367d303caa42fd39a08d1078390ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5c4392d45cf14c50874d2c27389924aa

SHA1
1446d48ee92d6e0833c901b9d76fc7149ce6ccb5

SHA256
bd994e6e8d0ec09c650882e92d66ec0059bd67f0df2135dc97a4530e46d312f1

SHA512
40737c1ad0a3b6a7145bcd9c193ffb970363dfc457cbea8c62c494ec6c2d370c2aa1c7214eee2342f975080c166c7a511154c05070cad7f227c676099f864033

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1252-352-0x00000000011B0000-0x00000000012C0000-memory.dmp

Filesize
1.1MB

Download
memory/1820-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/1820-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1820-13-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download
memory/1820-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/1820-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/1872-232-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1900-172-0x0000000001170000-0x0000000001280000-memory.dmp

Filesize
1.1MB

Download
memory/1992-113-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1992-112-0x0000000000C30000-0x0000000000D40000-memory.dmp

Filesize
1.1MB

Download
memory/2012-58-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2012-56-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2104-292-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2152-531-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

Filesize
1.1MB

Download
memory/2152-532-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2604-471-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download