dcrat | 0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe
Size

1.3MB
MD5

427f7790d059cd2061ba031492d36424
SHA1

ee9e9244d72b852328b8b8666801c02b056dd21c
SHA256

0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe
SHA512

f981d1e04e6ef86de82f42f66e96c8896aa452fea6ff78a2856b9d8bc7fca28be6211b85aeac2e6b46f2a69c43e3408e8e4fe73805d0280082c3ef9f84b41862
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2744	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000193b8-12.dat	dcrat
behavioral1/memory/2944-13-0x00000000001B0000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/memory/3028-129-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/2624-248-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/1144-308-0x0000000000B80000-0x0000000000C90000-memory.dmp	dcrat
behavioral1/memory/752-368-0x0000000000E90000-0x0000000000FA0000-memory.dmp	dcrat
behavioral1/memory/2220-487-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/1980-547-0x0000000000100000-0x0000000000210000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
332	powershell.exe
2556	powershell.exe
1720	powershell.exe
1804	powershell.exe
1852	powershell.exe
2132	powershell.exe
2396	powershell.exe
892	powershell.exe
884	powershell.exe
664	powershell.exe
1168	powershell.exe
1312	powershell.exe
2492	powershell.exe
2684	powershell.exe
1240	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2944	DllCommonsvc.exe
3028	System.exe
2388	System.exe
2624	System.exe
1144	System.exe
752	System.exe
2192	System.exe
2220	System.exe
1980	System.exe

Loads dropped DLL 2 IoCs

pid	Process
3004	cmd.exe
3004	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
24	raw.githubusercontent.com
28	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\it-IT\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\it-IT\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\27d1bcfc3c54e0	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Setup\State\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\State\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\winsxs\msil_system.core.resources_b77a5c561934e089_6.1.7600.16385_fr-fr_35f33be2a14c173b\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2172	schtasks.exe
2576	schtasks.exe
2232	schtasks.exe
1372	schtasks.exe
596	schtasks.exe
1532	schtasks.exe
2508	schtasks.exe
2116	schtasks.exe
1052	schtasks.exe
1544	schtasks.exe
2384	schtasks.exe
2008	schtasks.exe
2420	schtasks.exe
1076	schtasks.exe
1020	schtasks.exe
524	schtasks.exe
3064	schtasks.exe
2736	schtasks.exe
2520	schtasks.exe
1472	schtasks.exe
2068	schtasks.exe
2340	schtasks.exe
2312	schtasks.exe
1744	schtasks.exe
592	schtasks.exe
1956	schtasks.exe
1536	schtasks.exe
2284	schtasks.exe
948	schtasks.exe
1680	schtasks.exe
1216	schtasks.exe
2620	schtasks.exe
2612	schtasks.exe
984	schtasks.exe
2092	schtasks.exe
2808	schtasks.exe
3060	schtasks.exe
2208	schtasks.exe
1976	schtasks.exe
2708	schtasks.exe
2636	schtasks.exe
1132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2944	DllCommonsvc.exe
2944	DllCommonsvc.exe
2944	DllCommonsvc.exe
332	powershell.exe
1720	powershell.exe
1240	powershell.exe
1804	powershell.exe
884	powershell.exe
2396	powershell.exe
664	powershell.exe
1852	powershell.exe
2132	powershell.exe
2556	powershell.exe
892	powershell.exe
1312	powershell.exe
2684	powershell.exe
2492	powershell.exe
1168	powershell.exe
3028	System.exe
2388	System.exe
2624	System.exe
1144	System.exe
752	System.exe
2192	System.exe
2220	System.exe
1980	System.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	DllCommonsvc.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	3028	System.exe
Token: SeDebugPrivilege	2388	System.exe
Token: SeDebugPrivilege	2624	System.exe
Token: SeDebugPrivilege	1144	System.exe
Token: SeDebugPrivilege	752	System.exe
Token: SeDebugPrivilege	2192	System.exe
Token: SeDebugPrivilege	2220	System.exe
Token: SeDebugPrivilege	1980	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2896	2248	JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe	30
PID 2248 wrote to memory of 2896	2248	JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe	30
PID 2248 wrote to memory of 2896	2248	JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe	30
PID 2248 wrote to memory of 2896	2248	JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe	30
PID 2896 wrote to memory of 3004	2896	WScript.exe	31
PID 2896 wrote to memory of 3004	2896	WScript.exe	31
PID 2896 wrote to memory of 3004	2896	WScript.exe	31
PID 2896 wrote to memory of 3004	2896	WScript.exe	31
PID 3004 wrote to memory of 2944	3004	cmd.exe	33
PID 3004 wrote to memory of 2944	3004	cmd.exe	33
PID 3004 wrote to memory of 2944	3004	cmd.exe	33
PID 3004 wrote to memory of 2944	3004	cmd.exe	33
PID 2944 wrote to memory of 1852	2944	DllCommonsvc.exe	77
PID 2944 wrote to memory of 1852	2944	DllCommonsvc.exe	77
PID 2944 wrote to memory of 1852	2944	DllCommonsvc.exe	77
PID 2944 wrote to memory of 2492	2944	DllCommonsvc.exe	78
PID 2944 wrote to memory of 2492	2944	DllCommonsvc.exe	78
PID 2944 wrote to memory of 2492	2944	DllCommonsvc.exe	78
PID 2944 wrote to memory of 332	2944	DllCommonsvc.exe	79
PID 2944 wrote to memory of 332	2944	DllCommonsvc.exe	79
PID 2944 wrote to memory of 332	2944	DllCommonsvc.exe	79
PID 2944 wrote to memory of 2132	2944	DllCommonsvc.exe	80
PID 2944 wrote to memory of 2132	2944	DllCommonsvc.exe	80
PID 2944 wrote to memory of 2132	2944	DllCommonsvc.exe	80
PID 2944 wrote to memory of 2396	2944	DllCommonsvc.exe	81
PID 2944 wrote to memory of 2396	2944	DllCommonsvc.exe	81
PID 2944 wrote to memory of 2396	2944	DllCommonsvc.exe	81
PID 2944 wrote to memory of 2684	2944	DllCommonsvc.exe	82
PID 2944 wrote to memory of 2684	2944	DllCommonsvc.exe	82
PID 2944 wrote to memory of 2684	2944	DllCommonsvc.exe	82
PID 2944 wrote to memory of 1240	2944	DllCommonsvc.exe	83
PID 2944 wrote to memory of 1240	2944	DllCommonsvc.exe	83
PID 2944 wrote to memory of 1240	2944	DllCommonsvc.exe	83
PID 2944 wrote to memory of 892	2944	DllCommonsvc.exe	84
PID 2944 wrote to memory of 892	2944	DllCommonsvc.exe	84
PID 2944 wrote to memory of 892	2944	DllCommonsvc.exe	84
PID 2944 wrote to memory of 884	2944	DllCommonsvc.exe	85
PID 2944 wrote to memory of 884	2944	DllCommonsvc.exe	85
PID 2944 wrote to memory of 884	2944	DllCommonsvc.exe	85
PID 2944 wrote to memory of 1168	2944	DllCommonsvc.exe	86
PID 2944 wrote to memory of 1168	2944	DllCommonsvc.exe	86
PID 2944 wrote to memory of 1168	2944	DllCommonsvc.exe	86
PID 2944 wrote to memory of 2556	2944	DllCommonsvc.exe	87
PID 2944 wrote to memory of 2556	2944	DllCommonsvc.exe	87
PID 2944 wrote to memory of 2556	2944	DllCommonsvc.exe	87
PID 2944 wrote to memory of 1720	2944	DllCommonsvc.exe	88
PID 2944 wrote to memory of 1720	2944	DllCommonsvc.exe	88
PID 2944 wrote to memory of 1720	2944	DllCommonsvc.exe	88
PID 2944 wrote to memory of 1804	2944	DllCommonsvc.exe	89
PID 2944 wrote to memory of 1804	2944	DllCommonsvc.exe	89
PID 2944 wrote to memory of 1804	2944	DllCommonsvc.exe	89
PID 2944 wrote to memory of 1312	2944	DllCommonsvc.exe	90
PID 2944 wrote to memory of 1312	2944	DllCommonsvc.exe	90
PID 2944 wrote to memory of 1312	2944	DllCommonsvc.exe	90
PID 2944 wrote to memory of 664	2944	DllCommonsvc.exe	91
PID 2944 wrote to memory of 664	2944	DllCommonsvc.exe	91
PID 2944 wrote to memory of 664	2944	DllCommonsvc.exe	91
PID 2944 wrote to memory of 2772	2944	DllCommonsvc.exe	107
PID 2944 wrote to memory of 2772	2944	DllCommonsvc.exe	107
PID 2944 wrote to memory of 2772	2944	DllCommonsvc.exe	107
PID 2772 wrote to memory of 3060	2772	cmd.exe	109
PID 2772 wrote to memory of 3060	2772	cmd.exe	109
PID 2772 wrote to memory of 3060	2772	cmd.exe	109
PID 2772 wrote to memory of 3028	2772	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\it-IT\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JbpPGpjxbE.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3060
      - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat"
        7⤵
        
        PID:1580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1924
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat"
        9⤵
        
        PID:2192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2412
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"
        11⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1604
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat"
        13⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2724
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat"
        15⤵
        
        PID:1128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2876
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"
        17⤵
        
        PID:2156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2264
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat"
        19⤵
        
        PID:2480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1532
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Fonts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Setup\State\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\it-IT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dce8adbcb77f811a5eba0952c6c9d9a7

SHA1
63bbb9d7624e798bb4f0a7da13157b9b531af4fe

SHA256
6a0618210c97c1e91c7ba9f6908b9a2248a0a72df5f1a4024779383a45fe4ed0

SHA512
ed75cb288aeaabbb4f503fdad27c181fa1c4f964859efe897508508fda92389a9cc08610c00bcf3cbbe49933464bd21795968cea104464f87f5bc9e3513f1ec2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa65b25da4440db21954455b1bac94f5

SHA1
948c68996a48d245378531f76732d7400744dbf6

SHA256
8509e72f17c181e659e8affd0718259081ec58f908c5323cb9a3415af142617d

SHA512
762234a1b2fd309ae653eaa4e2b23eb394655b8e0b6f634f42ba333a626a1d6656b99654bcd8e8e7074793b3d573837b3503235fe8dd397959e9202ecfccca14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c331ba755bb4975bf7730f66d545064d

SHA1
1dc1bfa7c2b6b6e952a725f04fcf7b5193f39b80

SHA256
2c786249e960a16a1594e083dc8da71e9d9be932ad13921defe5b3aedc0113f2

SHA512
a0b7b52f0f9d12c2041d32818b250d4e61410a02f86e59b1fea0f722f091e5fc79ed380fc64dff40e65cceef2bd6fef4c8f52a81f5f13925ddf22352d83a654a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5dda8fe5a2c589aef14fdb2e4e71c35

SHA1
f8e7594b24add02abf391d8a337a0827b159dd6b

SHA256
cf91e82db92144d4553b1ab142508bda58340f3a56f48f04579fbac3bb3310a4

SHA512
0523437b7ac95166108e07a4403aa08318c59cf3fad1abecfa1610fbc6ab0c4677c6d83f8c43752cb426a89a4d28de49f6f413203beddb8794ffdd5415635fc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
073525a848160c8d97ab4d48854c14fc

SHA1
afd480aad0eab293aad668910a01cbbf2e3e876e

SHA256
feead49f6c11f0dead261e455511146627ba6ee72e5413a14a1bbd3e3e5098c9

SHA512
4baa111ad7d8b7e1624832e28c59569e47292b8ac23a6ddc68b6f6cb98f02d854b2acc936b4b81560c92cea01b312c71155f630098728e314d79d06d64f6fd96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a2aee22cbe1bb637a3b639ef5b14506

SHA1
3940c3f4e8e223c7da24cf46339e78938e8600d5

SHA256
bb8ada1ab9275c2f271c4459398d0f9b9aa1d012b95f67d92e2cd1e65bb96ba3

SHA512
5733272dbc264aeea61ba0a96dc372175082a999681264818207464d7e1e4cf179e443861b158af098492a4a10daab67d3a5f5e8ffe3ee77fc24f6c2e72864a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat

Filesize
224B

MD5
b984a0fa7abde61457b2558e2edb9e89

SHA1
ec72d26a2f825f8649be2715fb2c524de36a3b0e

SHA256
12852f0f619740f8af629dd7a8cf273a96193627e1f116045ec413467dff4210

SHA512
fc7f7836e2687d32ba196f5ffc45b839a3e409b163b86e56cac9c04ff0cddfd1fc20b14d197ca9c0ac010e2cf9b06f5552b9840afec156c64915da64490e288d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6A3A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat

Filesize
224B

MD5
3785fb959b4ad11768f0d514b38d3f36

SHA1
0700054fddabd5af82f385e7a16432c8b1bd2e30

SHA256
d5505cd0e4225df89c9f7a121aa5439d91d0ce8e7a4145988e5b0249757d1195

SHA512
bdfb9749daf0fc520a789abce81bfbf244b5d8a6d9d146c0f1e07c4167824204b737defad672ed522086151de62e447b5230ab139c7b5d98ebb10b547c039718

Download Submit
C:\Users\Admin\AppData\Local\Temp\JbpPGpjxbE.bat

Filesize
224B

MD5
7e8fe6297bad28e22037a3e90576ff46

SHA1
866f0c8352f1da4e22392fd52e745225c48b4cc7

SHA256
531b2a8dfd576fa41f42d5e67e080214d8a9360dcb22ffca2d6846ece5853dd9

SHA512
e903c6828efe0821b72d28d1f7509004f8088146e9a7c877a9105fcb9a8036b0f6eeea00bab441a48112f4f6b7fa1e8b2c24c1404290640b831d6b47cc8fa0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat

Filesize
224B

MD5
c5a882e5f53d8c62c452a2651478e1c8

SHA1
e3014a8d4ed2a1e18a8a700bd99be32f061e56c0

SHA256
e47e58d8cb1cb61e750c852dfcd2d3861908a80fdc30f88f6e8f66266d2def68

SHA512
796f2ba96487a262acc50aa6821940a7291662e46a2f172940c855bafe0b40f5ea16e73f53bee8620267334743f74ee9e4e4af51c2432b1756327494d9fc33ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat

Filesize
224B

MD5
9597f0e2777e84358b631888a46b2beb

SHA1
cedae66a28a4d92a4765dfb85e3b4919dbc6617c

SHA256
e58b5849d8dbf022c286eba69565a0b3c52b89a88561402850118928a482efa9

SHA512
d3144c01b746271670eaca6054ae528d1bc5c6878a7b5b9c9220d6dc06cbf49226b173c66cc2a95102b328c5bdae9effacbdf3e84d6dd363d29ae4eced070d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat

Filesize
224B

MD5
e5fc880192c6726ea2d2f206d150ed48

SHA1
aede490212fa9015649af638f4801c34be42a111

SHA256
aa8fefa4524c2855590dd6cd7130954e7bb4cbab9c319f3ca9a7afa11d5a7ff5

SHA512
e733becede8bd106803ed9476b4edd66ec4995594c47a65b8715c6eeb889414c23614e93391823f999e0105f4b5c014c1a3686c31dc3c84eeb7cfff6a6ba3ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6A9A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat

Filesize
224B

MD5
64194d496658c6bc2a722107e4cc5ac7

SHA1
297b2ee8384cda1bbfd76d2e725469b1ba6e0d88

SHA256
7f193b22b8bc704c76da3e19cd7d3e6c71312d7beb7701234d16b3bb47c06cbe

SHA512
baac9e614627bb71b7fc053dbd72a46348b77b96ba1f454b7de26552ead42ca847bb2069449bca4bdd6907cc94b4cb410f15ca5eb8e647ece9ff5bb10843237f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat

Filesize
224B

MD5
2c60f4aa1d5a24acb353a037c9992081

SHA1
4ffff14118ea41a8434dd944fc5c9a94158ce73f

SHA256
4ae6b28566ffd25e8ee3edd541d265b9436af06b2b4fffabd5917389bc7f372d

SHA512
228315a41887578b643c16f511569f3a5132b4bd6f21486902b5cda90afb1d3b250e853db3d7cca459d6140fae4c22e17f3f69a6fbcb735f0d4451112da8fab0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f3d03b7c963d6bfee7a1fa3af2cc25ca

SHA1
4303677747605b17f67b493fb952afd202a6766d

SHA256
58cf95e8d2506fcb822c36dd542183a50d7a4e744e97bae7957850c9d80c7b41

SHA512
51a00a6ecc09a1873b511d206aa4b72ec312afd54e158e2d778a86294f6070525d480e842b04bc0f536cd4d73489197f3e479a93c0c6b1cbf41b343c22dec6f4

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/332-91-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/752-368-0x0000000000E90000-0x0000000000FA0000-memory.dmp

Filesize
1.1MB

Download
memory/884-88-0x000000001B490000-0x000000001B772000-memory.dmp

Filesize
2.9MB

Download
memory/1144-308-0x0000000000B80000-0x0000000000C90000-memory.dmp

Filesize
1.1MB

Download
memory/1980-547-0x0000000000100000-0x0000000000210000-memory.dmp

Filesize
1.1MB

Download
memory/2220-487-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/2624-248-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/2944-17-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2944-13-0x00000000001B0000-0x00000000002C0000-memory.dmp

Filesize
1.1MB

Download
memory/2944-14-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2944-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2944-16-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3028-130-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/3028-129-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download