dcrat | 60b285d6209835f3fbcb3bcbc5a3a81e2d77d9cb642a68d19e549def7a201fea

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_60b285d6209835f3fbcb3bcbc5a3a81e2d77d9cb642a68d19e549def7a201fea.exe
Size

1.3MB
MD5

7a44904725c41c347e0e03e069ef8333
SHA1

18a00d26095e4fd98d5ec55a6834a524a125afd7
SHA256

60b285d6209835f3fbcb3bcbc5a3a81e2d77d9cb642a68d19e549def7a201fea
SHA512

eaed008b0330c8c2eae4bf875642f07aa1510723811ad5f26b9b6aa3c999ff8853d1440cab67bca5321d36a6aa4fcb7c509829e8ed6412645ecae86d70455026
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2896	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2896	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d21-12.dat	dcrat
behavioral1/memory/2728-13-0x0000000000A50000-0x0000000000B60000-memory.dmp	dcrat
behavioral1/memory/1448-57-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/2852-166-0x0000000001060000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/2880-226-0x00000000010A0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/1852-405-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/2328-465-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/2252-525-0x0000000000890000-0x00000000009A0000-memory.dmp	dcrat
behavioral1/memory/2072-585-0x00000000011F0000-0x0000000001300000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
780	powershell.exe
1620	powershell.exe
1612	powershell.exe
1856	powershell.exe
1476	powershell.exe
1716	powershell.exe
1540	powershell.exe
868	powershell.exe
1940	powershell.exe
1700	powershell.exe
820	powershell.exe
2268	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2728	DllCommonsvc.exe
1448	wininit.exe
2852	wininit.exe
2880	wininit.exe
2816	wininit.exe
2624	wininit.exe
1852	wininit.exe
2328	wininit.exe
2252	wininit.exe
2072	wininit.exe
2424	wininit.exe
2744	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2368	cmd.exe
2368	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com
27	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\audiodg.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\wininit.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ehome\es-ES\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\ehome\es-ES\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60b285d6209835f3fbcb3bcbc5a3a81e2d77d9cb642a68d19e549def7a201fea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1780	schtasks.exe
1648	schtasks.exe
2108	schtasks.exe
2788	schtasks.exe
2152	schtasks.exe
832	schtasks.exe
1776	schtasks.exe
1408	schtasks.exe
2808	schtasks.exe
2096	schtasks.exe
2244	schtasks.exe
1036	schtasks.exe
536	schtasks.exe
2784	schtasks.exe
2652	schtasks.exe
1832	schtasks.exe
2220	schtasks.exe
1956	schtasks.exe
280	schtasks.exe
2792	schtasks.exe
2004	schtasks.exe
2956	schtasks.exe
2000	schtasks.exe
1568	schtasks.exe
1616	schtasks.exe
692	schtasks.exe
1464	schtasks.exe
2868	schtasks.exe
2312	schtasks.exe
2160	schtasks.exe
2608	schtasks.exe
708	schtasks.exe
1088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2728	DllCommonsvc.exe
2728	DllCommonsvc.exe
2728	DllCommonsvc.exe
1716	powershell.exe
1540	powershell.exe
820	powershell.exe
1856	powershell.exe
868	powershell.exe
2268	powershell.exe
1620	powershell.exe
1940	powershell.exe
1476	powershell.exe
780	powershell.exe
1612	powershell.exe
1700	powershell.exe
1448	wininit.exe
2852	wininit.exe
2880	wininit.exe
2816	wininit.exe
2624	wininit.exe
1852	wininit.exe
2328	wininit.exe
2252	wininit.exe
2072	wininit.exe
2424	wininit.exe
2744	wininit.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	DllCommonsvc.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1448	wininit.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	2852	wininit.exe
Token: SeDebugPrivilege	2880	wininit.exe
Token: SeDebugPrivilege	2816	wininit.exe
Token: SeDebugPrivilege	2624	wininit.exe
Token: SeDebugPrivilege	1852	wininit.exe
Token: SeDebugPrivilege	2328	wininit.exe
Token: SeDebugPrivilege	2252	wininit.exe
Token: SeDebugPrivilege	2072	wininit.exe
Token: SeDebugPrivilege	2424	wininit.exe
Token: SeDebugPrivilege	2744	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2556	2540	JaffaCakes118_60b285d6209835f3fbcb3bcbc5a3a81e2d77d9cb642a68d19e549def7a201fea.exe	30
PID 2540 wrote to memory of 2556	2540	JaffaCakes118_60b285d6209835f3fbcb3bcbc5a3a81e2d77d9cb642a68d19e549def7a201fea.exe	30
PID 2540 wrote to memory of 2556	2540	JaffaCakes118_60b285d6209835f3fbcb3bcbc5a3a81e2d77d9cb642a68d19e549def7a201fea.exe	30
PID 2540 wrote to memory of 2556	2540	JaffaCakes118_60b285d6209835f3fbcb3bcbc5a3a81e2d77d9cb642a68d19e549def7a201fea.exe	30
PID 2556 wrote to memory of 2368	2556	WScript.exe	31
PID 2556 wrote to memory of 2368	2556	WScript.exe	31
PID 2556 wrote to memory of 2368	2556	WScript.exe	31
PID 2556 wrote to memory of 2368	2556	WScript.exe	31
PID 2368 wrote to memory of 2728	2368	cmd.exe	33
PID 2368 wrote to memory of 2728	2368	cmd.exe	33
PID 2368 wrote to memory of 2728	2368	cmd.exe	33
PID 2368 wrote to memory of 2728	2368	cmd.exe	33
PID 2728 wrote to memory of 1540	2728	DllCommonsvc.exe	68
PID 2728 wrote to memory of 1540	2728	DllCommonsvc.exe	68
PID 2728 wrote to memory of 1540	2728	DllCommonsvc.exe	68
PID 2728 wrote to memory of 1716	2728	DllCommonsvc.exe	69
PID 2728 wrote to memory of 1716	2728	DllCommonsvc.exe	69
PID 2728 wrote to memory of 1716	2728	DllCommonsvc.exe	69
PID 2728 wrote to memory of 820	2728	DllCommonsvc.exe	70
PID 2728 wrote to memory of 820	2728	DllCommonsvc.exe	70
PID 2728 wrote to memory of 820	2728	DllCommonsvc.exe	70
PID 2728 wrote to memory of 2268	2728	DllCommonsvc.exe	72
PID 2728 wrote to memory of 2268	2728	DllCommonsvc.exe	72
PID 2728 wrote to memory of 2268	2728	DllCommonsvc.exe	72
PID 2728 wrote to memory of 1476	2728	DllCommonsvc.exe	73
PID 2728 wrote to memory of 1476	2728	DllCommonsvc.exe	73
PID 2728 wrote to memory of 1476	2728	DllCommonsvc.exe	73
PID 2728 wrote to memory of 1700	2728	DllCommonsvc.exe	76
PID 2728 wrote to memory of 1700	2728	DllCommonsvc.exe	76
PID 2728 wrote to memory of 1700	2728	DllCommonsvc.exe	76
PID 2728 wrote to memory of 1940	2728	DllCommonsvc.exe	78
PID 2728 wrote to memory of 1940	2728	DllCommonsvc.exe	78
PID 2728 wrote to memory of 1940	2728	DllCommonsvc.exe	78
PID 2728 wrote to memory of 1856	2728	DllCommonsvc.exe	79
PID 2728 wrote to memory of 1856	2728	DllCommonsvc.exe	79
PID 2728 wrote to memory of 1856	2728	DllCommonsvc.exe	79
PID 2728 wrote to memory of 1612	2728	DllCommonsvc.exe	80
PID 2728 wrote to memory of 1612	2728	DllCommonsvc.exe	80
PID 2728 wrote to memory of 1612	2728	DllCommonsvc.exe	80
PID 2728 wrote to memory of 1620	2728	DllCommonsvc.exe	81
PID 2728 wrote to memory of 1620	2728	DllCommonsvc.exe	81
PID 2728 wrote to memory of 1620	2728	DllCommonsvc.exe	81
PID 2728 wrote to memory of 868	2728	DllCommonsvc.exe	82
PID 2728 wrote to memory of 868	2728	DllCommonsvc.exe	82
PID 2728 wrote to memory of 868	2728	DllCommonsvc.exe	82
PID 2728 wrote to memory of 780	2728	DllCommonsvc.exe	84
PID 2728 wrote to memory of 780	2728	DllCommonsvc.exe	84
PID 2728 wrote to memory of 780	2728	DllCommonsvc.exe	84
PID 2728 wrote to memory of 1448	2728	DllCommonsvc.exe	92
PID 2728 wrote to memory of 1448	2728	DllCommonsvc.exe	92
PID 2728 wrote to memory of 1448	2728	DllCommonsvc.exe	92
PID 1448 wrote to memory of 2296	1448	wininit.exe	93
PID 1448 wrote to memory of 2296	1448	wininit.exe	93
PID 1448 wrote to memory of 2296	1448	wininit.exe	93
PID 2296 wrote to memory of 1516	2296	cmd.exe	95
PID 2296 wrote to memory of 1516	2296	cmd.exe	95
PID 2296 wrote to memory of 1516	2296	cmd.exe	95
PID 2296 wrote to memory of 2852	2296	cmd.exe	96
PID 2296 wrote to memory of 2852	2296	cmd.exe	96
PID 2296 wrote to memory of 2852	2296	cmd.exe	96
PID 2852 wrote to memory of 1052	2852	wininit.exe	98
PID 2852 wrote to memory of 1052	2852	wininit.exe	98
PID 2852 wrote to memory of 1052	2852	wininit.exe	98
PID 1052 wrote to memory of 1180	1052	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60b285d6209835f3fbcb3bcbc5a3a81e2d77d9cb642a68d19e549def7a201fea.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60b285d6209835f3fbcb3bcbc5a3a81e2d77d9cb642a68d19e549def7a201fea.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\es-ES\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\it-IT\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
    - - C:\Program Files\MSBuild\wininit.exe
        
        "C:\Program Files\MSBuild\wininit.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1448
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kKaF7FiTK0.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1516
        
        C:\Program Files\MSBuild\wininit.exe
        
        "C:\Program Files\MSBuild\wininit.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1180
        
        C:\Program Files\MSBuild\wininit.exe
        
        "C:\Program Files\MSBuild\wininit.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OVj8bjUD5N.bat"
        10⤵
        
        PID:1300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:612
        
        C:\Program Files\MSBuild\wininit.exe
        
        "C:\Program Files\MSBuild\wininit.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"
        12⤵
        
        PID:2372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2168
        
        C:\Program Files\MSBuild\wininit.exe
        
        "C:\Program Files\MSBuild\wininit.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"
        14⤵
        
        PID:2232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2740
        
        C:\Program Files\MSBuild\wininit.exe
        
        "C:\Program Files\MSBuild\wininit.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"
        16⤵
        
        PID:2972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1644
        
        C:\Program Files\MSBuild\wininit.exe
        
        "C:\Program Files\MSBuild\wininit.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"
        18⤵
        
        PID:752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:908
        
        C:\Program Files\MSBuild\wininit.exe
        
        "C:\Program Files\MSBuild\wininit.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat"
        20⤵
        
        PID:852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2852
        
        C:\Program Files\MSBuild\wininit.exe
        
        "C:\Program Files\MSBuild\wininit.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"
        22⤵
        
        PID:1884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2712
        
        C:\Program Files\MSBuild\wininit.exe
        
        "C:\Program Files\MSBuild\wininit.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat"
        24⤵
        
        PID:2160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2868
        
        C:\Program Files\MSBuild\wininit.exe
        
        "C:\Program Files\MSBuild\wininit.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Recent\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Recent\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\ehome\es-ES\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ehome\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\ehome\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Links\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Links\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34d9e4b9a6fcc4030f3b5cb354ff7f96

SHA1
5c9eded9ce2e4241e5eaf3f0d6020a9d93530c98

SHA256
a5327c90147cdebd4b23a3a04b84d2f6df307a41265274021586b15a0fb6a595

SHA512
277df59b69e5db89c0248354c9c0a4e2cffa42c75f662420350e9dbf7a117327d2e41b6399e5724c5a16eaec1bcf499c9e1a2358b388191a13c8c1a28678b5ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cca786867de93c64e681ca0620400f8

SHA1
6335dac61c709379f61732f911a7aa2a52d71d29

SHA256
998c7043e39163a0082cc8bb0ebaf3a59a7cebe20e578a2cb27bcf543f79ce7f

SHA512
4e5cc64b118924710eac88a4b829f62c4bf7c85fe489b7d490f97927fda81e727351d1b5d4e673f5733eb917b0aef656feb0c7bbc6a6905352263b53149b1965

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
473c52fe174430fdbba394964789268d

SHA1
2fdc712c3ef7c9f3b83dfd42eaa6840c62656766

SHA256
9abce2bec428cd64c832df134f434b9fb6bf0b6e6869ba14279d7b20eea9b6cf

SHA512
5bae5341aab3bbaac3b6dafb6823a4a2c22bb56e6b93cb30fdb743f01f61b3dbe05b4755517495f2c3f864d105bb1004ce28b426d418973ff3f59708aa769c15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e61df35e1d6a492b5c8c9b0c9b4a5b7b

SHA1
c45cdc43fe7f8be5179241d5d9f2478defc10fec

SHA256
b141007042464bb00c870e6411560cbbf7694e42d85b2d85abf3833dacbc52ab

SHA512
bfd7ed54039e8bd0906518db0b94c2ef275e44c91f337c63cc1aa8bce7df83aaa06e4cf97853e2d4684632aa8b44a251c2df5bf3135567390c9754dd20938a03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
042b4242504d3077ee442a1ca79da259

SHA1
87fba9870301d85414fe41faa76629b6be892e98

SHA256
3ba8f4500f3658577d84633f3f079b657291704452e40d87560afeaa7b41c813

SHA512
148140d0a68f580d13b05e892d09ccd45164fd8fd9753e05b7e3a5944bcaff669a15f02305c52b95d6053d1cd537f909c551ecb09ac1541d989aad06c66610d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76ce1e9f136b172fdcee0677c62ab5dd

SHA1
164d8c54d966fbaf18a9c3930e6b82c157915a54

SHA256
b8c421e1b55599e1a0fdaf4cc0425751155ef8fc626e0205cec9700848b47dfc

SHA512
051dd841c176f0e54db8870b45cd7ecb939106757a972ed820190ec0ea63fa6663c76d0067a17722ee4aa2f655f954586066e01d521b555d9234ce38b99401a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f35df709683cb55a673c9fc83baedd9a

SHA1
d2ad58473a4ae3282cacf1dac1c9853730daf4f0

SHA256
8e33c96870704c86c6dfcd0bedf7504c0748cc44f9db40029313ff036b811140

SHA512
7ff739c6f1e6667c37ea76e46fa0ffae366abda6ceb5d484f8e6d461a8df38cbc7698cfaa654b74ccca84db7a5dbc7c756fc0b2e5d59aaacc115eea0a5df7ae6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6ef75f4a6a63458a4290c52f77dc56e

SHA1
819a234fab5be5b65801ce248e2cfd442fd2cee0

SHA256
128a90878fa4bb4cba43799537eedf20c2b4a7d16071111cb352ce0bd1aaa977

SHA512
242583dd61a31e94c3bed5aa3b4e3b9185fb6b0c947b02231d3566821e706b05496d1ee2b2cbe94b2d37f1a749143b4bb65eab66ee715800b2e476d5b2a6c1b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
711aa27258cbd8265597673e879e5762

SHA1
8c46aab82bed08949ec32a444f20efc403699f63

SHA256
7bfda8f8eeb330e83217ae604a902a8569939be5c690c6a0bc6a4a4b2ac27d47

SHA512
c96c7e71283018492ca59603f75ed4adc583173106bd3c61010b2096e00a15cca2e1bdcb87c7d51537987e7157df1d1c87cceb682d1bedb72282d478fb3c0f38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cec314d47727a69bc56d9fd62d9bf35d

SHA1
0b2c8e8ea14011019aafcfa7500822c43c0edeb9

SHA256
de3c9e3d1b45aa9292c4fe3892adee60b6f1845f2e4ee4aa5471fa0b4943298a

SHA512
a3da23421c6e741f36712fb3033089357322f0c5208289aca5d7ece6f5aabe729596dcf0750d0360b93e83066a1885a321b217fe23e5f935d35e21b30d704380

Download Submit
C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat

Filesize
201B

MD5
67106639092105e90a2916937ec5df57

SHA1
62edef0e2797175bf6da5e2a5d2088cc9e060de5

SHA256
feae800fbe519f613b27678d8a631b918a0975bfba76e8e623994461598d007d

SHA512
10c6eb23d75ae79f6c32301788ed999bf1b0f043b9e5135f9d09ddb216d2b0fed3ce798db2dd1df536100ecd793b2e608ff14ce51051d298ac0d3902e2008c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat

Filesize
201B

MD5
1f4feb545bac802da76a15593162f716

SHA1
120b5c01afc559887a11963ef6e36e70f9b855aa

SHA256
aa908673dd314c35958240ac26e17b3ac5336c6397fc214845a978a1789e9418

SHA512
a052936f4175f5ab3bda172ae34178d251b4444596a19409121eca2579c1b0a73bba13d095223a499c781eb3c20b78a8b675008c97e4b81b61450ee6dbe32023

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB608.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat

Filesize
201B

MD5
5e4dbe0d91e126065fc3277fb1a1d196

SHA1
1c6460a309d02566c5d5c39976cbf328875edab3

SHA256
16ee2544e6c8272538c55865204de22952f9ac302bbde9d2338a252850151a73

SHA512
6e9e517cc54cc17fb9699ae6de62ae3ac23ea01246691b43df316787122131681793d1d0e3bf727793aa6350477cbd43875a5abd148157bb022406b18b8ef1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\OVj8bjUD5N.bat

Filesize
201B

MD5
018eb3f6d0976f75ab81cdd630cae481

SHA1
d0434fcb56788cf23b0d8982a6148707d48142c5

SHA256
746d8aef8cbe2dce6bc9172b49dc1e125772963a5116dbe66cbd38ef3df1d4be

SHA512
f60e086c1c44063b36423f81226c298a872c80d36a3ee5c02a4500af9fe5dfad31da1cc02c12a5f93ec7142e43cea69e7ca00c31d159c6d64d710c4a3e0bafbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat

Filesize
201B

MD5
55d01a7df559a08a2e129ddc65a67329

SHA1
3e17878eef778f707ad79b0a09e9fdff37665d4b

SHA256
c7c57f4b03d9d162d2748b0e097bb4ee0df081699b0e2f9829ba72fcbc8b515d

SHA512
3a510c400ae0bb1863ef6cd5c070c4c4d8df7f67e50af33b35537a4d890ff7d2bfc9e28d253dba242cc5ddda89beb370549029df5ee48771dcb81e842485e210

Download Submit
C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

Filesize
201B

MD5
44738fafc6467dfc3d64a8c6a744d411

SHA1
a7fd0ffd12adaf1cbf740545b09b2277eb2d9e90

SHA256
9908348e3e53a9fe7937d1670b74f471088ae2596af1e07fcbd1614b81dfb73c

SHA512
5bf75e4f5f554b18899f7c1617ca0e9696bb719c203e34b1d273ae013c7f7f6ab0929e4ce4b6018717dd89c0875f277206df7074832f86cd6b076f1aea4cee8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB64A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat

Filesize
201B

MD5
86369b030a6ee4b533089b549b62509a

SHA1
5706818ecdcb25a07a8fd9dc635981d29a0756ef

SHA256
a52d0a447ba4d847c857c05086eba425a61292d91de133ef2b9c873db2f4b3fe

SHA512
24abb1633d99c54c71dd5e63dc39ab0d9fce312114928198325fe0351f7a850e8fba350e30d2a9f5cbd99d9cc834dde36b2371ddf209fb272179fe06a330aba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat

Filesize
201B

MD5
3642f3114407a216e7aede93d754bc6a

SHA1
0a2483df24f47e42dbf0e70942babddb923807f8

SHA256
9475cb9f0b404e60dc45a34e4890d6dd5b41014d2c3d11088ec5a442ea3d54dd

SHA512
18c74bd81aad3e3a386c0613735a9b16065fb816df1522ea6b2a2ba0b23467db5c352fcf3666cd2dce07cd61f6dbd649f5ac80b742b6c0a5ae3fb8e9f67b725a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat

Filesize
201B

MD5
a148be92e7ffc38e9afb9c1a39be420c

SHA1
d30db1b3c64574222705a072a61f86f476c45e14

SHA256
b5449ee01506b3c05ae323ff17776b89ab8a78de7d0c207d6704cbd072ccd2c0

SHA512
eef56cfac7d24daab7d3756e29a39a455df83e516feabaca5071d122d1b50e5e2dd498fefb2f3326f8e425d9ae90fc802ae4b160ea305b11773a31a3a56f8fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kKaF7FiTK0.bat

Filesize
201B

MD5
6be1425334519f30b5e13d2d4787d998

SHA1
4667110d2612ecbeb2ca524ebf54d48319ad5ca0

SHA256
a6ffcdd65c44be79f9f4609ea359d0a77bc9511247990a64a8c74a1758674e2d

SHA512
0536053f02a69d15ea110235b5545c36c03beedb836d45b0dc073bfce8a8bbf01bed87ebd58c07cc7025bbf39c541741165574dd85cbad6ac57e67617e33e064

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5GSGYJSUGQDWD1VBW5YC.temp

Filesize
7KB

MD5
cb2321ef162b1e27c4d2ac8b023878cc

SHA1
68cd42a62c802eb14150708a857b97a785922c0b

SHA256
6ddbbb267ee2266d0b4ac307483ed1efe584022c66db5ac493832c7ad4fa93bd

SHA512
94f0395424f57c7e6c7b17f8b8884d6bcc5624bb8f272bafc245b2c1573c6d159025bd2cffc871c10078fa77c3f5f64627e01a15591fe1763f83f5ba8ddea200

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1448-57-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/1716-58-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/1716-56-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/1852-405-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/2072-585-0x00000000011F0000-0x0000000001300000-memory.dmp

Filesize
1.1MB

Download
memory/2252-525-0x0000000000890000-0x00000000009A0000-memory.dmp

Filesize
1.1MB

Download
memory/2328-465-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/2424-645-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2728-15-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2728-14-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2728-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2728-17-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/2728-13-0x0000000000A50000-0x0000000000B60000-memory.dmp

Filesize
1.1MB

Download
memory/2816-286-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2852-166-0x0000000001060000-0x0000000001170000-memory.dmp

Filesize
1.1MB

Download
memory/2880-226-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download