dcrat | 2601e5c17f1f7de9073eabc747988f762f1f1c0cfd68c4be14759ee52fbcfe3a

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2601e5c17f1f7de9073eabc747988f762f1f1c0cfd68c4be14759ee52fbcfe3a.exe
Size

1.3MB
MD5

f696c42e5af45f3314aa80f9fcc904a9
SHA1

6c9d93f2f88360826c361f59f066e6a169ba51e7
SHA256

2601e5c17f1f7de9073eabc747988f762f1f1c0cfd68c4be14759ee52fbcfe3a
SHA512

16296e2756116e89c4ccf5a379fca96343c33ccaa18e09d5fe097ef1bd97d919a482bae9ece585ad4a40f95abc3785b257e69345637094823f0db616e77f612e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2012	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2012	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d3a-9.dat	dcrat
behavioral1/memory/572-13-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/3000-115-0x0000000000AD0000-0x0000000000BE0000-memory.dmp	dcrat
behavioral1/memory/784-175-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/1060-473-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/2996-533-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/2176-593-0x0000000000910000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/3036-653-0x0000000001210000-0x0000000001320000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3048	powershell.exe
1792	powershell.exe
2136	powershell.exe
848	powershell.exe
1200	powershell.exe
1376	powershell.exe
1712	powershell.exe
3064	powershell.exe
2376	powershell.exe
1796	powershell.exe
2024	powershell.exe
1880	powershell.exe
2212	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
572	DllCommonsvc.exe
3000	sppsvc.exe
784	sppsvc.exe
1532	sppsvc.exe
2220	sppsvc.exe
1688	sppsvc.exe
2636	sppsvc.exe
1060	sppsvc.exe
2996	sppsvc.exe
2176	sppsvc.exe
3036	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2228	cmd.exe
2228	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\es-ES\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\es-ES\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2601e5c17f1f7de9073eabc747988f762f1f1c0cfd68c4be14759ee52fbcfe3a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1592	schtasks.exe
1516	schtasks.exe
1292	schtasks.exe
1524	schtasks.exe
1020	schtasks.exe
2872	schtasks.exe
404	schtasks.exe
2516	schtasks.exe
904	schtasks.exe
2904	schtasks.exe
2160	schtasks.exe
2124	schtasks.exe
2556	schtasks.exe
2668	schtasks.exe
2600	schtasks.exe
872	schtasks.exe
2536	schtasks.exe
2632	schtasks.exe
2288	schtasks.exe
776	schtasks.exe
2116	schtasks.exe
2036	schtasks.exe
2732	schtasks.exe
2096	schtasks.exe
1800	schtasks.exe
1900	schtasks.exe
2564	schtasks.exe
2404	schtasks.exe
3012	schtasks.exe
2220	schtasks.exe
912	schtasks.exe
2508	schtasks.exe
596	schtasks.exe
2044	schtasks.exe
2736	schtasks.exe
1928	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs

pid	Process
3000	sppsvc.exe
784	sppsvc.exe
1532	sppsvc.exe
2220	sppsvc.exe
1688	sppsvc.exe
2636	sppsvc.exe
1060	sppsvc.exe
2996	sppsvc.exe
2176	sppsvc.exe
3036	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
572	DllCommonsvc.exe
848	powershell.exe
1200	powershell.exe
1376	powershell.exe
1796	powershell.exe
2136	powershell.exe
2376	powershell.exe
2212	powershell.exe
2024	powershell.exe
3064	powershell.exe
1880	powershell.exe
3048	powershell.exe
1712	powershell.exe
1792	powershell.exe
3000	sppsvc.exe
784	sppsvc.exe
1532	sppsvc.exe
2220	sppsvc.exe
1688	sppsvc.exe
2636	sppsvc.exe
1060	sppsvc.exe
2996	sppsvc.exe
2176	sppsvc.exe
3036	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	572	DllCommonsvc.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	3000	sppsvc.exe
Token: SeDebugPrivilege	784	sppsvc.exe
Token: SeDebugPrivilege	1532	sppsvc.exe
Token: SeDebugPrivilege	2220	sppsvc.exe
Token: SeDebugPrivilege	1688	sppsvc.exe
Token: SeDebugPrivilege	2636	sppsvc.exe
Token: SeDebugPrivilege	1060	sppsvc.exe
Token: SeDebugPrivilege	2996	sppsvc.exe
Token: SeDebugPrivilege	2176	sppsvc.exe
Token: SeDebugPrivilege	3036	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2436	2464	JaffaCakes118_2601e5c17f1f7de9073eabc747988f762f1f1c0cfd68c4be14759ee52fbcfe3a.exe	31
PID 2464 wrote to memory of 2436	2464	JaffaCakes118_2601e5c17f1f7de9073eabc747988f762f1f1c0cfd68c4be14759ee52fbcfe3a.exe	31
PID 2464 wrote to memory of 2436	2464	JaffaCakes118_2601e5c17f1f7de9073eabc747988f762f1f1c0cfd68c4be14759ee52fbcfe3a.exe	31
PID 2464 wrote to memory of 2436	2464	JaffaCakes118_2601e5c17f1f7de9073eabc747988f762f1f1c0cfd68c4be14759ee52fbcfe3a.exe	31
PID 2436 wrote to memory of 2228	2436	WScript.exe	32
PID 2436 wrote to memory of 2228	2436	WScript.exe	32
PID 2436 wrote to memory of 2228	2436	WScript.exe	32
PID 2436 wrote to memory of 2228	2436	WScript.exe	32
PID 2228 wrote to memory of 572	2228	cmd.exe	34
PID 2228 wrote to memory of 572	2228	cmd.exe	34
PID 2228 wrote to memory of 572	2228	cmd.exe	34
PID 2228 wrote to memory of 572	2228	cmd.exe	34
PID 572 wrote to memory of 1200	572	DllCommonsvc.exe	72
PID 572 wrote to memory of 1200	572	DllCommonsvc.exe	72
PID 572 wrote to memory of 1200	572	DllCommonsvc.exe	72
PID 572 wrote to memory of 2024	572	DllCommonsvc.exe	73
PID 572 wrote to memory of 2024	572	DllCommonsvc.exe	73
PID 572 wrote to memory of 2024	572	DllCommonsvc.exe	73
PID 572 wrote to memory of 1880	572	DllCommonsvc.exe	74
PID 572 wrote to memory of 1880	572	DllCommonsvc.exe	74
PID 572 wrote to memory of 1880	572	DllCommonsvc.exe	74
PID 572 wrote to memory of 848	572	DllCommonsvc.exe	76
PID 572 wrote to memory of 848	572	DllCommonsvc.exe	76
PID 572 wrote to memory of 848	572	DllCommonsvc.exe	76
PID 572 wrote to memory of 2136	572	DllCommonsvc.exe	78
PID 572 wrote to memory of 2136	572	DllCommonsvc.exe	78
PID 572 wrote to memory of 2136	572	DllCommonsvc.exe	78
PID 572 wrote to memory of 1796	572	DllCommonsvc.exe	79
PID 572 wrote to memory of 1796	572	DllCommonsvc.exe	79
PID 572 wrote to memory of 1796	572	DllCommonsvc.exe	79
PID 572 wrote to memory of 2376	572	DllCommonsvc.exe	80
PID 572 wrote to memory of 2376	572	DllCommonsvc.exe	80
PID 572 wrote to memory of 2376	572	DllCommonsvc.exe	80
PID 572 wrote to memory of 1376	572	DllCommonsvc.exe	81
PID 572 wrote to memory of 1376	572	DllCommonsvc.exe	81
PID 572 wrote to memory of 1376	572	DllCommonsvc.exe	81
PID 572 wrote to memory of 1792	572	DllCommonsvc.exe	83
PID 572 wrote to memory of 1792	572	DllCommonsvc.exe	83
PID 572 wrote to memory of 1792	572	DllCommonsvc.exe	83
PID 572 wrote to memory of 3048	572	DllCommonsvc.exe	85
PID 572 wrote to memory of 3048	572	DllCommonsvc.exe	85
PID 572 wrote to memory of 3048	572	DllCommonsvc.exe	85
PID 572 wrote to memory of 3064	572	DllCommonsvc.exe	86
PID 572 wrote to memory of 3064	572	DllCommonsvc.exe	86
PID 572 wrote to memory of 3064	572	DllCommonsvc.exe	86
PID 572 wrote to memory of 1712	572	DllCommonsvc.exe	88
PID 572 wrote to memory of 1712	572	DllCommonsvc.exe	88
PID 572 wrote to memory of 1712	572	DllCommonsvc.exe	88
PID 572 wrote to memory of 2212	572	DllCommonsvc.exe	90
PID 572 wrote to memory of 2212	572	DllCommonsvc.exe	90
PID 572 wrote to memory of 2212	572	DllCommonsvc.exe	90
PID 572 wrote to memory of 2304	572	DllCommonsvc.exe	98
PID 572 wrote to memory of 2304	572	DllCommonsvc.exe	98
PID 572 wrote to memory of 2304	572	DllCommonsvc.exe	98
PID 2304 wrote to memory of 900	2304	cmd.exe	100
PID 2304 wrote to memory of 900	2304	cmd.exe	100
PID 2304 wrote to memory of 900	2304	cmd.exe	100
PID 2304 wrote to memory of 3000	2304	cmd.exe	101
PID 2304 wrote to memory of 3000	2304	cmd.exe	101
PID 2304 wrote to memory of 3000	2304	cmd.exe	101
PID 2304 wrote to memory of 3000	2304	cmd.exe	101
PID 2304 wrote to memory of 3000	2304	cmd.exe	101
PID 3000 wrote to memory of 1676	3000	sppsvc.exe	102
PID 3000 wrote to memory of 1676	3000	sppsvc.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2601e5c17f1f7de9073eabc747988f762f1f1c0cfd68c4be14759ee52fbcfe3a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2601e5c17f1f7de9073eabc747988f762f1f1c0cfd68c4be14759ee52fbcfe3a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\es-ES\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\extensions\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\it-IT\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvVLoPKVgv.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:900
      - C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat"
        7⤵
        
        PID:1676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2892
        
        C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"
        9⤵
        
        PID:1796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3060
        
        C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"
        11⤵
        
        PID:1272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:572
        
        C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat"
        13⤵
        
        PID:1764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:884
        
        C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat"
        15⤵
        
        PID:3024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2600
        
        C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
        17⤵
        
        PID:992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2696
        
        C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat"
        19⤵
        
        PID:1520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2372
        
        C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"
        21⤵
        
        PID:2704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1380
        
        C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"
        23⤵
        
        PID:2004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1672
        
        C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\lua\extensions\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\extensions\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lua\extensions\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Downloads\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48dd6ae54fc479d1cc4593d1af9b9490

SHA1
977a7674cc348c0fecbd9b2065771c3d5b0cd753

SHA256
af7f7e96cfaba875663e11e376364c7aed47d5fba962a21a61fca2403fe49bdf

SHA512
0c54c3ebc6a13d839d83062c1f81750c7dde9975cd5fe006fa35614df82f68ba87ae22713e5d9dd24affefc7c7b14f30d934459052b25dbf0d3b853d22ed97f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
344effbdec9bad9722cc4632665fe095

SHA1
ccd45238e5dc7a4c588da0bc18c55d695102455d

SHA256
930b31dc29a99bdf7bb165255043ae685a8c631ef136910f851080263f7579bb

SHA512
79346b95bfe774c268489f6418e1eeec95a9b06f1cfb437b53cecc41e80fa81b22dcbaab2fccdaeb0adf89571c3f720bea7286425fa06b2f3e9187aea4fda3b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42329e2fb932974bf64669be2c2fbf00

SHA1
7e1877c386938c43cbe8c81d1795f6d403149713

SHA256
68e92d94b8d06b924afbfbd2a9d7e07872d0c0bfd0aa1554ef4d3e6b5cb6de71

SHA512
fa10d9f1265132e6c9723c850422dc43a36618f870d2cfd038e468b3f1ef6d41116449a209a20a5bf795dc91f6874ffb3a120972205c1dc9abc2dbbc3c7211cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4286da10c9cd6eaea0780037f69073db

SHA1
0db0a0feb3f9dffb427b050808cff08d2e2cba3a

SHA256
30f6365f668d1c66ad8c88ee3e3deec89f7b3213ebe9e6d1729afa6f2d51b706

SHA512
6192155efe94d8d696004ef6a491b7266b0d3d681297cedd1a8bf2ec2b3e94a174ae1def412aca5829084cba1b472976a9006d3043efa47a69027585584df64d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d90e3539966a9131352ca78fec5c2883

SHA1
80b7ff12f3e6ee0c1c65cb47c2f7f70b549cb8f8

SHA256
ed5ec1a947a1bb35bdeb5e155fba08bfc999d30530324488d41560e4e5bc16cb

SHA512
e70fc5cf81ef8f498c221de3c9bfead86278df9786f2e3be77454d64433e11785f966dba152066c0529b9026b04753477abbefcf010db5dcb2e646e9ca16a9b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef1a66e616f7644a4a3c41a229713bb0

SHA1
8e5689f5f714a0bd6c59687193d199372d5be144

SHA256
12748acbf2e8f04db62fd57521c2e1567d071ace79f2fde0080eed8a35f9cf1b

SHA512
01f36a4c7a1fd1e1fe84dc75837982978f4685e91deb7e6d9d0a06fd8d03c820fe37bb3ece990df4ba9973579e600e621447945e20c40114f7e5cba2befe59f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c68326a2d971600d5f431a954595af0

SHA1
b013820bc5a482acc6a9c0fd8f4844f7a2b35a6a

SHA256
63662221938e230582071ee4dd2874ab5b5c2d6bbe816b7f26f741fc4373f04a

SHA512
ceaf38ef441b734ab2e47a03439e89a77ce9b5d4be0f1009fc234d04c4a6e079f913a53f38cebd524f7daceb4ec7c6ad3053be790894022877a63f3a5c4cbbe4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4e61b7321f88d6e27ea55c10399981b

SHA1
091b06cd247626c26e5a9429d238dd9263f60159

SHA256
41e0e6999600289f9bc93fd799edf72dc1a0af0d5ac464764f8c511bf199a4f7

SHA512
3033d73d9a9437a8bcab41177799b82bc9c7822e72a66f355fa87bcb7aec22c84da16e7e22a87fea5d318b196e14fd23a9f5e38f72d1a0358acb38de270ea1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat

Filesize
220B

MD5
896873c990991232be34d39f50746cd7

SHA1
45c4953a2f24b4291484fa69afbb11aec60b7aa4

SHA256
21ca8289f0e1b230b6d131a9a8b8e99a713056c8f55da914c93fe73213935b8c

SHA512
ffdadf7212152e404e6f6e31ec6376cc4b546b27e41d9bfd888613f1fe32debb70e735cf9f2b7e4c1ad3664f5095c6f8577bca7909705d6c3659c45c322bfd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat

Filesize
220B

MD5
1cd7b98fdf8025113a7a40ae4c60b294

SHA1
dea30d9dbd72c930671ea8cbe8e75c54b811e922

SHA256
b332e12d572fa8b4dde2a6e54513807bd7e74f5e053a169b52acb712110e631f

SHA512
3115ac9f2ea49d17e01d5328cadc98b2ab4d8234bfdcc36fd8c44a40621ee9e5815e60f2e4dc08cce5326560ad08120e186395d59dcb01338326905a9ba891d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab28D7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat

Filesize
220B

MD5
42a7bbc3df1113bc0a9c5effd598b057

SHA1
400fba7c59398ba7b960959a9040292219d1ec9d

SHA256
68b3b4689cb3ccb879f5ae1c46d89239b2390f840aa97939f50778945ee1733d

SHA512
a2fae727b78eee9bace06c52aef6a63e5c3d33afaa05bcd358eef09a54c9899604a0bfb42e252bf59e7fc975036192f8bb05c9f6dc4b9156565a72a9c072490c

Download Submit
C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

Filesize
220B

MD5
de16ed80e9b1f5c6bddc1aa8ba4e2c78

SHA1
3d7d900b50b850df1695ae81e76205cb36514d24

SHA256
57bdf99e0e20a74fb6ed27f7694a14662726a8e7a7855edbb6b11d9a4f4b4af4

SHA512
a54df2d07261f8ca82d3aadab33f6d4466f85b36a9a42528729aee0e0eb30521ff89526a65e7c01e78b1377001172e5ae92dd40dd9d00e3e4de62323d69c683a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OvVLoPKVgv.bat

Filesize
220B

MD5
8dc4f2b253d37cdf980b13b567300285

SHA1
25de2d47ffac7cbb667c6a9da93b8c16f96f8b45

SHA256
eac1cbc2d5395ac494bb14f239a058eab2ad40442a0e93890852e3b958fe1e6f

SHA512
f75b58b37ffdcb2b9a300f7088f062643b0dc97f62e90cb7dba755a5d344909e2041f5515c44d7b1b0ab052cd12f4e72a31d1139f5eb051fbae4570687c8fefb

Download Submit
C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat

Filesize
220B

MD5
947de5a56f983e1a59445e07e97d2025

SHA1
2d5241480cca096b5518f89cab156a5cf7a22617

SHA256
59d200d92b983250d821d8ed4fc1615b48530c4550b3c82d02ba9ed4162a08e0

SHA512
d83d74564bf315b48575b4dcb9eb0539f976777584578dac8c8d193056f55ddacf43302a88ade4e0c90a65b75e2238cf144b4c5ccf6811c12d73baf1675f9ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar28F9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat

Filesize
220B

MD5
d090f3bd0466aeff88ff6f7d626c20c9

SHA1
c1784f1eee4e5f6bd193312b290a6736732ac80f

SHA256
8dae67e7cc6203a2f7c6402c29f5563c38f4105086f5764e0825297bdeba1971

SHA512
470a10cf6c6b2e07a97e79c50e8b82421323e9621f5da1a17842d53f3d1727c3b40841f1b45a7f7b923d6de5501633bf3bc9b0e175fd3c2f4fb80344f7bec2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat

Filesize
220B

MD5
f840aeafa8354c8773a227b52520f21e

SHA1
f69315cd6d34e88bbf9a206500b1e4f006930012

SHA256
11b4119c46975cd8ef82d99cae0cb17d12aaf72514f08db0321f7a224996abb4

SHA512
254ee3f1952db80f89df031c9a0a859e15e61f24af61c13fd5edff9dcf380111ffe876d87ea1d40b2df08b3074e4e7d8ddc910e80bbd7e3e6bc489eef4514479

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat

Filesize
220B

MD5
8ed1e18fc58483922f7858c194e1b4ac

SHA1
c34836722db8350a9fc24aaec4bcec4c7cff687d

SHA256
30f16031eb99109b221b8a8c86916cc654c69c4c2d210e1677be8ea227d48c4e

SHA512
c1655a97c3fe78c20e8ea93e1f8731104f2c0e71f13300d2c697958d7ddeade1801c2d0b771e4d371ff9568216d8f4fa90540751593b46729147e2a0378009df

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat

Filesize
220B

MD5
afe0aa044f27fecbd6c98474e8fdcea0

SHA1
246cb12c4acaeb51873e8b5e72192bd058758426

SHA256
64cc27488d4edaf067823ffc602d8bd4bfe7c9770a72e68e4eacc62e44201662

SHA512
1cf345e4a43e8174d31d94ccae9600d81fa41e259163cc66645658ce9e9929a5484e4f7c663862ed8ddb0b89943f73882d42e23b42c3ca521cfafc6d517ce432

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LU4FBIUYSKD26EWDSIUT.temp

Filesize
7KB

MD5
cda5bfb5d1edb496f2cd575b7ff1d5fb

SHA1
fc5073ee727b60cef5526d7b73514f55e8311857

SHA256
24ec859c5c01ed8d9eacfd78d41b05d09d6968df372dad0c97ba7d55542b9e99

SHA512
0da083df06eddb83f44c32392ed6474af982a8d45df49b390541bfd9b8a89dc9e25d62899fd8d226ec47a42d155c394a2253027cebef68097aaa08a349f14705

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/572-17-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/572-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/572-15-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/572-14-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/572-13-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/784-175-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/848-51-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/848-50-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1060-473-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/1532-235-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1688-354-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2176-593-0x0000000000910000-0x0000000000A20000-memory.dmp

Filesize
1.1MB

Download
memory/2996-533-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/3000-116-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/3000-115-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

Filesize
1.1MB

Download
memory/3036-653-0x0000000001210000-0x0000000001320000-memory.dmp

Filesize
1.1MB

Download