dcrat | ab3df3e21309c0557a1610b4d40d3ce467a75e4e1ca4ead6b8479b1710584151

Analysis

max time kernel
144s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ab3df3e21309c0557a1610b4d40d3ce467a75e4e1ca4ead6b8479b1710584151.exe
Size

1.3MB
MD5

646a404dc3a4660c161918c699d85995
SHA1

fd88b22a64dfed30b6a340fd29b4f8c1d645def4
SHA256

ab3df3e21309c0557a1610b4d40d3ce467a75e4e1ca4ead6b8479b1710584151
SHA512

6e891d4b26581510e861ccb4d53be8d5b5da69da6b5e48bbc101850f6e3c7c6841e955064f4066f747b6975972a61b10d50f6a0830fde6c68307fbdc584afd79
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2564	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016edc-9.dat	dcrat
behavioral1/memory/2808-13-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/memory/2268-48-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/1376-174-0x0000000000BC0000-0x0000000000CD0000-memory.dmp	dcrat
behavioral1/memory/268-293-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/2368-353-0x0000000000840000-0x0000000000950000-memory.dmp	dcrat
behavioral1/memory/1092-414-0x0000000000F10000-0x0000000001020000-memory.dmp	dcrat
behavioral1/memory/708-534-0x00000000010A0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/1440-594-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/848-654-0x0000000000250000-0x0000000000360000-memory.dmp	dcrat
behavioral1/memory/2008-714-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2364	powershell.exe
2084	powershell.exe
2948	powershell.exe
1660	powershell.exe
984	powershell.exe
784	powershell.exe
2324	powershell.exe
1732	powershell.exe
1516	powershell.exe
768	powershell.exe
1664	powershell.exe
1352	powershell.exe
2956	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2808	DllCommonsvc.exe
2268	lsass.exe
1376	lsass.exe
1512	lsass.exe
268	lsass.exe
2368	lsass.exe
1092	lsass.exe
1140	lsass.exe
708	lsass.exe
1440	lsass.exe
848	lsass.exe
2008	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2836	cmd.exe
2836	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
38	raw.githubusercontent.com
4	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\es-ES\smss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\it-IT\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\it-IT\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\es-ES\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\winlogon.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ab3df3e21309c0557a1610b4d40d3ce467a75e4e1ca4ead6b8479b1710584151.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
760	schtasks.exe
1396	schtasks.exe
2176	schtasks.exe
2512	schtasks.exe
2552	schtasks.exe
1484	schtasks.exe
1544	schtasks.exe
1040	schtasks.exe
532	schtasks.exe
932	schtasks.exe
1740	schtasks.exe
2460	schtasks.exe
2300	schtasks.exe
2352	schtasks.exe
1036	schtasks.exe
2444	schtasks.exe
2928	schtasks.exe
2848	schtasks.exe
1440	schtasks.exe
1904	schtasks.exe
2404	schtasks.exe
900	schtasks.exe
1368	schtasks.exe
3024	schtasks.exe
1308	schtasks.exe
1764	schtasks.exe
1628	schtasks.exe
848	schtasks.exe
988	schtasks.exe
2880	schtasks.exe
336	schtasks.exe
2368	schtasks.exe
796	schtasks.exe
904	schtasks.exe
708	schtasks.exe
2964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2808	DllCommonsvc.exe
2808	DllCommonsvc.exe
2808	DllCommonsvc.exe
2808	DllCommonsvc.exe
2808	DllCommonsvc.exe
1664	powershell.exe
1660	powershell.exe
1732	powershell.exe
2084	powershell.exe
2948	powershell.exe
2364	powershell.exe
768	powershell.exe
2956	powershell.exe
784	powershell.exe
1352	powershell.exe
2324	powershell.exe
984	powershell.exe
1516	powershell.exe
2268	lsass.exe
1376	lsass.exe
1512	lsass.exe
268	lsass.exe
2368	lsass.exe
1092	lsass.exe
1140	lsass.exe
708	lsass.exe
1440	lsass.exe
848	lsass.exe
2008	lsass.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	DllCommonsvc.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2268	lsass.exe
Token: SeDebugPrivilege	1376	lsass.exe
Token: SeDebugPrivilege	1512	lsass.exe
Token: SeDebugPrivilege	268	lsass.exe
Token: SeDebugPrivilege	2368	lsass.exe
Token: SeDebugPrivilege	1092	lsass.exe
Token: SeDebugPrivilege	1140	lsass.exe
Token: SeDebugPrivilege	708	lsass.exe
Token: SeDebugPrivilege	1440	lsass.exe
Token: SeDebugPrivilege	848	lsass.exe
Token: SeDebugPrivilege	2008	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2744	2828	JaffaCakes118_ab3df3e21309c0557a1610b4d40d3ce467a75e4e1ca4ead6b8479b1710584151.exe	30
PID 2828 wrote to memory of 2744	2828	JaffaCakes118_ab3df3e21309c0557a1610b4d40d3ce467a75e4e1ca4ead6b8479b1710584151.exe	30
PID 2828 wrote to memory of 2744	2828	JaffaCakes118_ab3df3e21309c0557a1610b4d40d3ce467a75e4e1ca4ead6b8479b1710584151.exe	30
PID 2828 wrote to memory of 2744	2828	JaffaCakes118_ab3df3e21309c0557a1610b4d40d3ce467a75e4e1ca4ead6b8479b1710584151.exe	30
PID 2744 wrote to memory of 2836	2744	WScript.exe	31
PID 2744 wrote to memory of 2836	2744	WScript.exe	31
PID 2744 wrote to memory of 2836	2744	WScript.exe	31
PID 2744 wrote to memory of 2836	2744	WScript.exe	31
PID 2836 wrote to memory of 2808	2836	cmd.exe	33
PID 2836 wrote to memory of 2808	2836	cmd.exe	33
PID 2836 wrote to memory of 2808	2836	cmd.exe	33
PID 2836 wrote to memory of 2808	2836	cmd.exe	33
PID 2808 wrote to memory of 2364	2808	DllCommonsvc.exe	71
PID 2808 wrote to memory of 2364	2808	DllCommonsvc.exe	71
PID 2808 wrote to memory of 2364	2808	DllCommonsvc.exe	71
PID 2808 wrote to memory of 1732	2808	DllCommonsvc.exe	72
PID 2808 wrote to memory of 1732	2808	DllCommonsvc.exe	72
PID 2808 wrote to memory of 1732	2808	DllCommonsvc.exe	72
PID 2808 wrote to memory of 2084	2808	DllCommonsvc.exe	73
PID 2808 wrote to memory of 2084	2808	DllCommonsvc.exe	73
PID 2808 wrote to memory of 2084	2808	DllCommonsvc.exe	73
PID 2808 wrote to memory of 1516	2808	DllCommonsvc.exe	74
PID 2808 wrote to memory of 1516	2808	DllCommonsvc.exe	74
PID 2808 wrote to memory of 1516	2808	DllCommonsvc.exe	74
PID 2808 wrote to memory of 768	2808	DllCommonsvc.exe	75
PID 2808 wrote to memory of 768	2808	DllCommonsvc.exe	75
PID 2808 wrote to memory of 768	2808	DllCommonsvc.exe	75
PID 2808 wrote to memory of 1664	2808	DllCommonsvc.exe	76
PID 2808 wrote to memory of 1664	2808	DllCommonsvc.exe	76
PID 2808 wrote to memory of 1664	2808	DllCommonsvc.exe	76
PID 2808 wrote to memory of 2948	2808	DllCommonsvc.exe	77
PID 2808 wrote to memory of 2948	2808	DllCommonsvc.exe	77
PID 2808 wrote to memory of 2948	2808	DllCommonsvc.exe	77
PID 2808 wrote to memory of 1352	2808	DllCommonsvc.exe	78
PID 2808 wrote to memory of 1352	2808	DllCommonsvc.exe	78
PID 2808 wrote to memory of 1352	2808	DllCommonsvc.exe	78
PID 2808 wrote to memory of 2956	2808	DllCommonsvc.exe	79
PID 2808 wrote to memory of 2956	2808	DllCommonsvc.exe	79
PID 2808 wrote to memory of 2956	2808	DllCommonsvc.exe	79
PID 2808 wrote to memory of 1660	2808	DllCommonsvc.exe	80
PID 2808 wrote to memory of 1660	2808	DllCommonsvc.exe	80
PID 2808 wrote to memory of 1660	2808	DllCommonsvc.exe	80
PID 2808 wrote to memory of 784	2808	DllCommonsvc.exe	81
PID 2808 wrote to memory of 784	2808	DllCommonsvc.exe	81
PID 2808 wrote to memory of 784	2808	DllCommonsvc.exe	81
PID 2808 wrote to memory of 984	2808	DllCommonsvc.exe	82
PID 2808 wrote to memory of 984	2808	DllCommonsvc.exe	82
PID 2808 wrote to memory of 984	2808	DllCommonsvc.exe	82
PID 2808 wrote to memory of 2324	2808	DllCommonsvc.exe	83
PID 2808 wrote to memory of 2324	2808	DllCommonsvc.exe	83
PID 2808 wrote to memory of 2324	2808	DllCommonsvc.exe	83
PID 2808 wrote to memory of 2268	2808	DllCommonsvc.exe	97
PID 2808 wrote to memory of 2268	2808	DllCommonsvc.exe	97
PID 2808 wrote to memory of 2268	2808	DllCommonsvc.exe	97
PID 2268 wrote to memory of 324	2268	lsass.exe	98
PID 2268 wrote to memory of 324	2268	lsass.exe	98
PID 2268 wrote to memory of 324	2268	lsass.exe	98
PID 324 wrote to memory of 1084	324	cmd.exe	100
PID 324 wrote to memory of 1084	324	cmd.exe	100
PID 324 wrote to memory of 1084	324	cmd.exe	100
PID 324 wrote to memory of 1376	324	cmd.exe	101
PID 324 wrote to memory of 1376	324	cmd.exe	101
PID 324 wrote to memory of 1376	324	cmd.exe	101
PID 1376 wrote to memory of 3004	1376	lsass.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab3df3e21309c0557a1610b4d40d3ce467a75e4e1ca4ead6b8479b1710584151.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab3df3e21309c0557a1610b4d40d3ce467a75e4e1ca4ead6b8479b1710584151.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\es-ES\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\it-IT\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1084
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"
        8⤵
        
        PID:3004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2956
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"
        10⤵
        
        PID:1140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1720
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iRE9Vp3kbL.bat"
        12⤵
        
        PID:1156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2840
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"
        14⤵
        
        PID:448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2092
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"
        16⤵
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1028
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X9PDuMdk3a.bat"
        18⤵
        
        PID:2332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1488
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat"
        20⤵
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2896
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"
        22⤵
        
        PID:1244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2420
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
        24⤵
        
        PID:1316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2872
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\it-IT\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cf0264ce151c636a8608821b62a48f2

SHA1
333f6f28d258b76b029d5b25d059cf3fafe623cf

SHA256
7aeed5bf5ffb91c52d308c14050c82c84760e8c443e54c3cc582957de4482c80

SHA512
4218fa1f6035b9a71b3723603be25a6fc88c5688730211fb4c95355d9281bc4af66cfbbb5543fce970ae5e27d73f4f292680ae50fd9cb10e6eebab2b13c7d060

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c7069bd7cbba143b51ccb4b12d3e377

SHA1
c3e5947da14e298a851575be0e63847f6efdc524

SHA256
565cfe375e3a8cbe268d299f1ef606788c39aa02a99c9f1f5e2de502bea7b2c8

SHA512
496b32c55130c7f0d590eb911a7687a769dabd2be2b176b78e2cbec437d5d6b30d7eec2fd4a887b843a1470fb8b87a45402076d2fdbdeefb46508ef33fe0b94b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec1a31171aa36c6028f58f1076705f9a

SHA1
e7088b9c324a8f9bfc1ba21e47d7d733713e70c2

SHA256
7d5a0c30d31714d24379deb522acbdd8e0c81e1381e6f4b7bbf0e3b3129891d9

SHA512
989b9ff0eb7ee26242fc4cff83c7146896b657dd431a764fd9233802d0150f17510f6c6f0e07bf43b2e70677c17bf5f1e2fbfda91daeb2026889ba6a9a7c70d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a769b219c1fc8fdff7a4f794c9b6e8cf

SHA1
a98a47227c81c43f2bdcda1f1e38a38fd821ce4c

SHA256
c68f9d987d80f9cd82c8a2ac6c0a4c2cc8ed31d9cf3a501b138b724021cc3603

SHA512
2d17b891537b9eab377547576dd63cb48e55ef536f50a8f44b1f8956a609f90af74c33d988fdf1e68d00dba348664927bc23caf0ec00f26b0e5cbfe15c6bfedc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
deea9c496baa85a65c672e7a3a2d257c

SHA1
66bb757419eca4009edb9fb3944d6e7a76e256f1

SHA256
c24a86a8e6a20b1b1a0339e3164078360052ec9e959994eb866beb0754c4b790

SHA512
03aebd5ac2e3ffca155bf7a62aad412ebaa3f94b6cab57013a1fe0e105a840db385ca478b4e55552afef3a1466ec5fd97c4dec1444cee73c842947273109c515

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80c3bb26885946fcacdd5292c01281d2

SHA1
66c81b7a9a2c40f47777cb0b93280a8198449787

SHA256
6d22e5bfda08d77355ebee9107cafa1cfaf0f8ede16906b7cb827c0778d382ef

SHA512
b5ddc9776a0ba103fa3c6812c49269eabd0e4f593a980ff2abb7d47221e85d3665cf07fc5a80154362dca595d780dc8532365295aeae34e6dba39f7c2b42bb17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8f27594275155c72a53c56c33711bb1

SHA1
5515ab548895b92b09dbb0d2a1cc3a706f5ac2b1

SHA256
363ea7904f7026510fdd72cb3fb05fb49134eb25778610dccf80117bd16e41bf

SHA512
ec98421ce5d7bdad639feb1e8103875d1b4815b9de7f1e4e04af6d7d3ba2b460f3905d440f45eb03cd34de18bca0fce8653527e09366a056021a61af19b55088

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbe33a7855a56ab9164f4599ba0d20f2

SHA1
bf83d952b78a6a74bbbdf4dc7e992d3b3663216b

SHA256
a51033037250fd9e80ea8007c44afede309fbc8569d42259802f9cf7536dfca0

SHA512
77289db9de2790e5919316f9d1d5dd5a3f579773df64afeca1a0e766bdeb4139b62acfe97062e0be41b7716159ec4699050f9852cded29b76ca619c49b24a458

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3da9da3055b038befc140b8ba2d870b1

SHA1
98ab19e0b9c82cb9614d4e74afa933fa27553bb4

SHA256
614c8436f437540dd7199a51ecb9dbcb8b726bbe625ebedd05eaba92f8f83e41

SHA512
d4604344289d69596a0d0aa764f4c50fe6c9b1da9af50489f16c904438c4eee8ae43a7f0c39df341d4a37560c41a6636ad1d20af7e09ee2ae2fc7581e9303ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2020.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat

Filesize
223B

MD5
36f4ea943dca268597dde600a0b68ec8

SHA1
e705b0d22f9239300b64542639f23ba4ab6a3312

SHA256
9eb9c17e2d381db8a399590bcecdc2b3454ab7b34e7a0471c6a75b53a2d051ad

SHA512
420b8003b454a2a319d873590e17e71085c95da2871b482823d974e44c25fc1ad2bb03c87bce2719353052e46f3caaa7c046ef1cbd4f68829b395e9dbbe2cb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat

Filesize
223B

MD5
55a2ada31fa668c6fbbb9b13bf432b89

SHA1
66811754cb6723abeefa7ba2db6eafce1bcbeab3

SHA256
32af2d03e2e9fa76ee77e85133b1b5f25b50152bc3ada484c7041d2946d2014f

SHA512
002e345ea392e806b3abf9bbcddd2d1d3907c1c89f1c86d5382aac2529d2ddc8f0351891806dbdb449b033e5e16c9e3421b07907c5751ba657cd97ca31ae96b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat

Filesize
223B

MD5
0a10c56ce6f5e71f9fb1896485317c44

SHA1
a93a7847a2b7d9263b30331b82fd58586e921cfa

SHA256
20c212c16ac004eeedb490155a099457b8a585d5156fad4bbb5b00831e54032f

SHA512
1e0c03639311e9035e62c65e5ed8623a86fa2e98153ed72ed885a353f7e65e4edf5932e2b869ab7a8960e0dad4ca2cb7eba4f6ce431416e65d15fe57024448c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2023.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X9PDuMdk3a.bat

Filesize
223B

MD5
081009c950360d4a2a12dcabe48c7762

SHA1
cd7cbb41219ec4a74e91b391002f05c5fb9fc521

SHA256
9332afceabe0a182e058223059e76b3649d774905c0fc5123bb60bd1ddb4caa7

SHA512
8a4b2e366734d0514ab9f3e45c5733055e3affe999a01a25bcc8573aad29fdc88b08dbf79f2abb4e54f6e0e8bbfc2f26f132a03b4e3bfbf87d811d034f40a7b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat

Filesize
223B

MD5
a942583f0348de484095d3018c5a1493

SHA1
c02ab37ca0207a15c4e60155000abbaf0ce8db57

SHA256
50e96c577fc3883592d62da2ea3bfc7ae49bdb3c9dc80278ef53501b8a325bc0

SHA512
5ad4da51da648d0446c67ee40a95ea35d68b71b3170a376f5155fb7a17a9ecea30fa69a98f0fce955cdfb47330e85eea44936b99a5e811aab022989c0042785d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat

Filesize
223B

MD5
41637d7b46588c00fa727166262a9444

SHA1
6332de5954fae4128c1193ccb407541519b05f68

SHA256
f2d17c7cb74341153ef310764e28dd93f539b2edfe868eab719e3678b5de4909

SHA512
ada3f9e399b3f98f3b93f066dec99260f1b83ecdb51ad1506e5683efbe4b768981f57777a0bc5cb0e27c15084aa0012a3b3ddaeb6985c4f51b621510fd2c78ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\iRE9Vp3kbL.bat

Filesize
223B

MD5
96e55971c5f1ec6723b93a969e5703d6

SHA1
1edd1ac278fba2b9b232226efdcccf1ee7eb5c0d

SHA256
f5d757cc06d9c04a280f8d5276e0b5c95c67022c625575fec22cfc5da105395a

SHA512
834cc563f4947bf7d8028f948d747f56cb198b449d0ddad45a5b909e1cdf974c7121b417457d7902859d6d6356156aac92407b65126e051f8e58000deed79703

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

Filesize
223B

MD5
bc8ce198102d6c3f37d0af326c4f11c1

SHA1
9b7500a26775820b74ec059719ae73d8af15fae7

SHA256
40ccb7140c909645711b4f57214956e7a8a36aafe1bf9ef408f21c28bf005730

SHA512
2ae670c1496a6974ec7eca82e7d93c6853b0543ba178198982751c23e0d0beede12bc3919da44325328d53300c7d496503967887815f2dd2c511407007fec6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat

Filesize
223B

MD5
2e19a3fb57fc382a5c1bb7aa61654fcf

SHA1
c2c39e8d21b900b6465aac0aa9c9c5227b021cf4

SHA256
22ecc22bf1121aa19cad9d560ecf56bba818786aa76574276a47be3485d42c49

SHA512
7e024983a5fc59be62c6f85790cd6d7241ca13ac9a139c4501e41f94083dcbf59eb83f76039ab4920f7644d8c10b56660d4ca97fac349606c25b441e6783e7fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a6682074ec362c4c5df7e992f206e105

SHA1
58524d60b6de0307131b72355b76549f8d219665

SHA256
8a30b286625d5df4a4c2bab7bc574817c8fb5480395e2ac03f8f0878144a5d83

SHA512
91946706ad593954c8fdd17f56cfed0356feb77c687b49e311a10f4259a6329cf0ed8912f8b098f3f9265ecca672ffb7ea179de12fcf5cc8527598a89a63da22

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/268-293-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/708-534-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download
memory/848-654-0x0000000000250000-0x0000000000360000-memory.dmp

Filesize
1.1MB

Download
memory/1092-414-0x0000000000F10000-0x0000000001020000-memory.dmp

Filesize
1.1MB

Download
memory/1092-415-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1376-174-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

Filesize
1.1MB

Download
memory/1440-594-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/1664-55-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/1664-54-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2008-714-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download
memory/2268-48-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/2268-115-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2368-354-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2368-353-0x0000000000840000-0x0000000000950000-memory.dmp

Filesize
1.1MB

Download
memory/2808-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2808-13-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download
memory/2808-15-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2808-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2808-17-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download