dcrat | ab49f9520f703ec5ef5267e9be7efdef97591ba0c47c8872038a3ffa35fda55f

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ab49f9520f703ec5ef5267e9be7efdef97591ba0c47c8872038a3ffa35fda55f.exe
Size

1.3MB
MD5

bb99bf46c703958b2b7464055b68ce6d
SHA1

8a1fa2e73df4bb30f8a47129dcca581e244026c3
SHA256

ab49f9520f703ec5ef5267e9be7efdef97591ba0c47c8872038a3ffa35fda55f
SHA512

893f7b6e2c166dd2eff75e57af78ff1622fa7871616dd863b046d97a39a4c2db49fff536b59eae43c8672247d8bd4b495bcb1fed452bf8fe351e976ab1e3f509
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2592	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001932d-9.dat	dcrat
behavioral1/memory/2444-13-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/1240-101-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat
behavioral1/memory/2728-160-0x0000000000EF0000-0x0000000001000000-memory.dmp	dcrat
behavioral1/memory/2508-220-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/1564-280-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/2820-340-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat
behavioral1/memory/1104-400-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/1016-460-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/2312-698-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
892	powershell.exe
924	powershell.exe
2684	powershell.exe
3016	powershell.exe
600	powershell.exe
2468	powershell.exe
832	powershell.exe
2368	powershell.exe
2092	powershell.exe
1616	powershell.exe
1668	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2444	DllCommonsvc.exe
1240	DllCommonsvc.exe
2728	DllCommonsvc.exe
2508	DllCommonsvc.exe
1564	DllCommonsvc.exe
2820	DllCommonsvc.exe
1104	DllCommonsvc.exe
1016	DllCommonsvc.exe
2840	DllCommonsvc.exe
2492	DllCommonsvc.exe
2692	DllCommonsvc.exe
2312	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
3044	cmd.exe
3044	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com
33	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\es-ES\OSPPSVC.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\TAPI\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ab49f9520f703ec5ef5267e9be7efdef97591ba0c47c8872038a3ffa35fda55f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2924	schtasks.exe
2332	schtasks.exe
1844	schtasks.exe
1884	schtasks.exe
2248	schtasks.exe
2168	schtasks.exe
2024	schtasks.exe
2424	schtasks.exe
540	schtasks.exe
448	schtasks.exe
948	schtasks.exe
324	schtasks.exe
1860	schtasks.exe
2752	schtasks.exe
2360	schtasks.exe
584	schtasks.exe
1688	schtasks.exe
2116	schtasks.exe
1392	schtasks.exe
2816	schtasks.exe
2344	schtasks.exe
2420	schtasks.exe
1996	schtasks.exe
1300	schtasks.exe
2480	schtasks.exe
1164	schtasks.exe
2648	schtasks.exe
1240	schtasks.exe
884	schtasks.exe
1276	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2444	DllCommonsvc.exe
2444	DllCommonsvc.exe
2444	DllCommonsvc.exe
892	powershell.exe
2368	powershell.exe
832	powershell.exe
1616	powershell.exe
3016	powershell.exe
2092	powershell.exe
1668	powershell.exe
2468	powershell.exe
924	powershell.exe
2684	powershell.exe
600	powershell.exe
1240	DllCommonsvc.exe
2728	DllCommonsvc.exe
2508	DllCommonsvc.exe
1564	DllCommonsvc.exe
2820	DllCommonsvc.exe
1104	DllCommonsvc.exe
1016	DllCommonsvc.exe
2840	DllCommonsvc.exe
2492	DllCommonsvc.exe
2692	DllCommonsvc.exe
2312	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	DllCommonsvc.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	1240	DllCommonsvc.exe
Token: SeDebugPrivilege	2728	DllCommonsvc.exe
Token: SeDebugPrivilege	2508	DllCommonsvc.exe
Token: SeDebugPrivilege	1564	DllCommonsvc.exe
Token: SeDebugPrivilege	2820	DllCommonsvc.exe
Token: SeDebugPrivilege	1104	DllCommonsvc.exe
Token: SeDebugPrivilege	1016	DllCommonsvc.exe
Token: SeDebugPrivilege	2840	DllCommonsvc.exe
Token: SeDebugPrivilege	2492	DllCommonsvc.exe
Token: SeDebugPrivilege	2692	DllCommonsvc.exe
Token: SeDebugPrivilege	2312	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2732	2264	JaffaCakes118_ab49f9520f703ec5ef5267e9be7efdef97591ba0c47c8872038a3ffa35fda55f.exe	30
PID 2264 wrote to memory of 2732	2264	JaffaCakes118_ab49f9520f703ec5ef5267e9be7efdef97591ba0c47c8872038a3ffa35fda55f.exe	30
PID 2264 wrote to memory of 2732	2264	JaffaCakes118_ab49f9520f703ec5ef5267e9be7efdef97591ba0c47c8872038a3ffa35fda55f.exe	30
PID 2264 wrote to memory of 2732	2264	JaffaCakes118_ab49f9520f703ec5ef5267e9be7efdef97591ba0c47c8872038a3ffa35fda55f.exe	30
PID 2732 wrote to memory of 3044	2732	WScript.exe	31
PID 2732 wrote to memory of 3044	2732	WScript.exe	31
PID 2732 wrote to memory of 3044	2732	WScript.exe	31
PID 2732 wrote to memory of 3044	2732	WScript.exe	31
PID 3044 wrote to memory of 2444	3044	cmd.exe	33
PID 3044 wrote to memory of 2444	3044	cmd.exe	33
PID 3044 wrote to memory of 2444	3044	cmd.exe	33
PID 3044 wrote to memory of 2444	3044	cmd.exe	33
PID 2444 wrote to memory of 2092	2444	DllCommonsvc.exe	65
PID 2444 wrote to memory of 2092	2444	DllCommonsvc.exe	65
PID 2444 wrote to memory of 2092	2444	DllCommonsvc.exe	65
PID 2444 wrote to memory of 2368	2444	DllCommonsvc.exe	66
PID 2444 wrote to memory of 2368	2444	DllCommonsvc.exe	66
PID 2444 wrote to memory of 2368	2444	DllCommonsvc.exe	66
PID 2444 wrote to memory of 2468	2444	DllCommonsvc.exe	67
PID 2444 wrote to memory of 2468	2444	DllCommonsvc.exe	67
PID 2444 wrote to memory of 2468	2444	DllCommonsvc.exe	67
PID 2444 wrote to memory of 600	2444	DllCommonsvc.exe	68
PID 2444 wrote to memory of 600	2444	DllCommonsvc.exe	68
PID 2444 wrote to memory of 600	2444	DllCommonsvc.exe	68
PID 2444 wrote to memory of 892	2444	DllCommonsvc.exe	69
PID 2444 wrote to memory of 892	2444	DllCommonsvc.exe	69
PID 2444 wrote to memory of 892	2444	DllCommonsvc.exe	69
PID 2444 wrote to memory of 832	2444	DllCommonsvc.exe	70
PID 2444 wrote to memory of 832	2444	DllCommonsvc.exe	70
PID 2444 wrote to memory of 832	2444	DllCommonsvc.exe	70
PID 2444 wrote to memory of 924	2444	DllCommonsvc.exe	71
PID 2444 wrote to memory of 924	2444	DllCommonsvc.exe	71
PID 2444 wrote to memory of 924	2444	DllCommonsvc.exe	71
PID 2444 wrote to memory of 2684	2444	DllCommonsvc.exe	72
PID 2444 wrote to memory of 2684	2444	DllCommonsvc.exe	72
PID 2444 wrote to memory of 2684	2444	DllCommonsvc.exe	72
PID 2444 wrote to memory of 3016	2444	DllCommonsvc.exe	73
PID 2444 wrote to memory of 3016	2444	DllCommonsvc.exe	73
PID 2444 wrote to memory of 3016	2444	DllCommonsvc.exe	73
PID 2444 wrote to memory of 1616	2444	DllCommonsvc.exe	74
PID 2444 wrote to memory of 1616	2444	DllCommonsvc.exe	74
PID 2444 wrote to memory of 1616	2444	DllCommonsvc.exe	74
PID 2444 wrote to memory of 1668	2444	DllCommonsvc.exe	75
PID 2444 wrote to memory of 1668	2444	DllCommonsvc.exe	75
PID 2444 wrote to memory of 1668	2444	DllCommonsvc.exe	75
PID 2444 wrote to memory of 1584	2444	DllCommonsvc.exe	82
PID 2444 wrote to memory of 1584	2444	DllCommonsvc.exe	82
PID 2444 wrote to memory of 1584	2444	DllCommonsvc.exe	82
PID 1584 wrote to memory of 2840	1584	cmd.exe	89
PID 1584 wrote to memory of 2840	1584	cmd.exe	89
PID 1584 wrote to memory of 2840	1584	cmd.exe	89
PID 1584 wrote to memory of 1240	1584	cmd.exe	90
PID 1584 wrote to memory of 1240	1584	cmd.exe	90
PID 1584 wrote to memory of 1240	1584	cmd.exe	90
PID 1240 wrote to memory of 2148	1240	DllCommonsvc.exe	91
PID 1240 wrote to memory of 2148	1240	DllCommonsvc.exe	91
PID 1240 wrote to memory of 2148	1240	DllCommonsvc.exe	91
PID 2148 wrote to memory of 2248	2148	cmd.exe	93
PID 2148 wrote to memory of 2248	2148	cmd.exe	93
PID 2148 wrote to memory of 2248	2148	cmd.exe	93
PID 2148 wrote to memory of 2728	2148	cmd.exe	94
PID 2148 wrote to memory of 2728	2148	cmd.exe	94
PID 2148 wrote to memory of 2728	2148	cmd.exe	94
PID 2728 wrote to memory of 1996	2728	DllCommonsvc.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab49f9520f703ec5ef5267e9be7efdef97591ba0c47c8872038a3ffa35fda55f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab49f9520f703ec5ef5267e9be7efdef97591ba0c47c8872038a3ffa35fda55f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\es-ES\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mHUpvBCeD9.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2840
      - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2248
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"
        9⤵
        
        PID:1996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1204
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat"
        11⤵
        
        PID:2560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2440
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XErLL4imMU.bat"
        13⤵
        
        PID:2388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2360
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"
        15⤵
        
        PID:1004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1364
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat"
        17⤵
        
        PID:1724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:796
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat"
        19⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1632
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"
        21⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1292
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
        23⤵
        
        PID:1616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2252
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat"
        25⤵
        
        PID:2836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1000
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\TAPI\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f64724a7a5dacb9fa35c1262cd8347f3

SHA1
70a368a673c2d93cec527db0c0cbbfd667e0722d

SHA256
d84f119bb0e3a017340588809ea4e03cd1efba8225ac36d68c0e24c36de7bef3

SHA512
de8b6efba5e7b20213d42f5a76e139a4bf87948f9f604157c08ebb840cbc46849b18af559b347f0055f1a468fca1da7c4e83f99ceb37acacbce7467b7b8f17d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8fa254ce439b215161682f79a6659be4

SHA1
f75e2f13ae25b4e8bcb2b74b5693218515123235

SHA256
4ff6df81f0ae667ff3c5d5b09d6f640800f3cd9793710153cb40125c85f144e1

SHA512
d47d7eb16c3b9cbbe8a11a63f15dc10634c45dcb2a2f692c47f659bc8dcac7b4b67b442a3ec789d935839676737cf1fc558ae5145e24126465b5642a6d7bbe33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba84236be47e27ac02ca693b6d5927b5

SHA1
42cc9bd80695bdd7e1a84e0b1446c6afa4be888a

SHA256
5d4aaeae46cec203b73dff7d4a38d95ea8e7c8b41028ddb175c9692ea29fa06f

SHA512
c573267371de0cae7ffe354386cc56fcbb283311a57d44477b73841e4b531122c3b2bbed6bc134e02a0f96b1c7d253440fc84f752c7a94e8d8891f940c7b74e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08f038eefa558b8a32370ec9f334600e

SHA1
25239b492c5c15da16a4cd52eb03b63375fe4e7e

SHA256
02775cac6ca535c90c4154e8e6b2053e4965db0e919add0a0b3145c79c600643

SHA512
b80f0b44c5e69e52050b37c0de2112f82a16af030b5548212e99c023819eafc94bcd549397101abfbc6629f26e6bb2c7fd83ddc3ae6bebf94d14453370998e8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
830d6d4bcdc469ea85445abea3a07bd2

SHA1
058f2b8a9e30b84cc2e47fad4ade8af15b8da891

SHA256
477bf9d30775eb85a397d4fc4b32e2ebf2d523b3bd855ea82903fe20979a628b

SHA512
8a61ac9a16a444e1a21e82f30dda542a0fd8b1c0989a7b69f39d3b9051eae9cfd5fa8bad81d1a3ea0d867b167b9ab3eaf27b66cd9e488ae3e048ab28230a3978

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0836fd06c1c98fc51de123e9509f39aa

SHA1
3357c67185b677bb7b06496fddaca1508ccbd3dd

SHA256
5be10aa8b124bb22bde6c217370b123bcd37d3d26a3095dacec1e89ec26e474d

SHA512
4acd6e9c113e2c8f12eaf517cd8477fe6ef62b240a09d6dcfe6d44b77788b89d0e300a9fa0ae63e6fa3e69765cc53668144789fbd6d32dfb806d54d5d0bf923f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3582b3ec132a27614c8937c27da715c3

SHA1
fa778a1fdd2c86ec65cf4480eb1704b912678cd9

SHA256
520ab6c1eea6ec3302f987f4b2e4042762a4002ee7163b81e225215b47d0ba90

SHA512
65adc62ae8dd830d9380b4ad1c2efd88d1073ec002db10e9bf93250bd2cfbe491a96f8a1427499bcc0ba1052a0e3fdd6cecb1e6fa830082dc14a46f35cbe7f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e411c32001969abe7910e8a5c82f95b5

SHA1
3a33baccbe44fa81ad5dcc425408aa35516fa980

SHA256
f706ccc97b35af9bf5b1a5c06815a299fb60eef91706212ccc94d897df541b64

SHA512
b1ebf14e3235485ba625ea602dec5306b43c6682a1b2f5ebc0c7c8de95453dc43da91f9f4b92076b6b040d06e5f2e63f31052bb32f6a71439b13da25df7c3f96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43251329de283e0f4f78584120d56f25

SHA1
bb0f7fe71a88cf1564913756a8d83e4a58741646

SHA256
993d3e9f169c6f7003990044f3ac6f29b1a28683171be35e6130b2624df962cd

SHA512
3986ab5991cd1779a62da65ffb6d8bf208d95dc88af5c1073763a3d9ba680731630264a46cd09cd3f7d1fa82691db38cf5e88af070a73844ab4055c679ada3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat

Filesize
230B

MD5
9ea5f812576a821fbde41dc56af0bf96

SHA1
3a3384ec49ca430859f63e4a091cb8595b9ad358

SHA256
8cc1621ab24ba993bcf54d749185c5b9bf4f8ce25c9fe3223755b7ceeb67d615

SHA512
7f72c318ea508ca457a967d594d11ca5516f76ea03168b43be2abb7bb7c751049325d247d2ddc1936f9f5bcb2317cc12fa0c3c88aebbfe13c04c2694b1a09c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat

Filesize
230B

MD5
e44043a50eaf1789a2a96a2aed84e688

SHA1
7c014a57ebe4f7e9359f1a92d03beabed6741763

SHA256
be57fe64e52031bdfff3647a600dec4443ceaf6ca75e4413bfe626a45b3b6ca2

SHA512
e3a2b153ffc4006773b1c41dac520ede1fb5e56272045971a3323d7c5891ab49f45044f530ad71cf850686cc71e661b403384f9033559f51ae8d8aaa04525b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7783.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat

Filesize
230B

MD5
f2b366960ff6f0c703ae3ea0296c106d

SHA1
b6eabf6e78cdc611c14b73347e98ef01c7457bfe

SHA256
bbee3e2035896b3a5f3ed40329553be3b337a3639a77061cdeb14fa8cc070aa0

SHA512
cb3fedd7f3b81d0d516641c6dbe3efad91b68e99dab18aa92e69f7ab3919450486c9891ae46f0dee0df3a7595ed886cde5415093d182dade776b9cebba9de821

Download Submit
C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat

Filesize
230B

MD5
c7493bf2d6849bfd98fa6bb83523a136

SHA1
61d14fad397075630287fb63c6d3f3ff8e6dcc11

SHA256
8cc53fee91054316524e15a5730d10f1f2117bf742d0691e87c7d8fa0c6079c9

SHA512
c44b4e1b4bff461e0271e6fcbbe2d5cfeb68c9c6c99eeec4fad7078a9f986b61b794fb00b9fbfe34125507201a24775bce22144653470a8f5edec234a5d02097

Download Submit
C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat

Filesize
230B

MD5
14d3a1f516b178a4a4e3ee50b75407ce

SHA1
6771f1d2f4f06f813b9dba444b64de4ee2f1498b

SHA256
28b7927de3aa48628d588723bdfa1ab0e2b935e0759b5474b814d3adf9fecca9

SHA512
6d7fe0557786ef617710312f82de475b7295cfaeec0485cff58c9bb1ce33fd2273ce6328bb69b7969d237d13b5fbd9d90c924dad43009a235399641fa19b1d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar77A5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XErLL4imMU.bat

Filesize
230B

MD5
cc79d76137884bb82b57910395b97fae

SHA1
8200f9319c6b2e2e73e0fe1aad4de8b9df34d60e

SHA256
8bb73a1f492e6114bfe232b0e3d24623fb7f01ba6c10599a80477cd6eb54ba38

SHA512
59d1811720504deb388629ac4148139dcc46499d138359d15abfce12c75923709574431146d16a0e4eece2aa95e9491774c294c0ae9b935dd4a7c90bdc05f5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat

Filesize
230B

MD5
73fbba88bcbd724b557233c0a04bec1d

SHA1
7d0f13d03bc38a49b1ab35b1a8af4fcda28cd74f

SHA256
b96a7c16b2b715af0bd40e7ec2a0b4d92630d151da81d73c1163916807273db0

SHA512
f43a6e51d54fb9f5fee0003335490bec0d9a64c20741ed9046d91589a44b1235021f672fc4b0362bf148d14c930de86071573c8a1cba78643b0faaab9c4db99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat

Filesize
230B

MD5
f1cd6ce96c4d8865cf16a1bfcd0f8156

SHA1
5ebced21d599cc496a3c68bb01946e7687e5681c

SHA256
f7857f36479e717a1da2da226822fd7f0cc20bd1ea20255c50485915bf98e43c

SHA512
6f548332f57b7e80704d1b47eed0257826303daa6e61914a56c96049e6499d1080a67b8ed5cbf76cec79a2e6949a9a1c65d80251343b446f7991aa3e62d2c64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mHUpvBCeD9.bat

Filesize
230B

MD5
f2db589da9156d3105040e717d8948e5

SHA1
b13faba7a66df33ddc2f11da50bfafb472ad54ef

SHA256
975c9ac02d4f4c77ae682661df4a846204c7efcf40c6eec9b451db8e0f0b9edc

SHA512
b5b15a9c8997b561a387db5870871d99fed38d02f6795285dc3587c48ea88aef502f040862578c8bc041f3909412815422f36615076effb0acc34b6aec268a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat

Filesize
230B

MD5
aa119a1833d6e7d192334ce85960eec5

SHA1
bb4ffa8c1ec5057068df5f6c59b21032d0f303e1

SHA256
1f1ae046916b988b409708e4daed54842decfb298969d0f1c790ffdab749d2c5

SHA512
7f341323eb385f9985fe418d66068780d067bb52ec1aa33a91a8a3df53438a3a0bdc64318cc6d18a13e336a1952de31083c0fbd25583670bd5df2bb39bd7b6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat

Filesize
230B

MD5
2627ca4f00702484298f8d4b7bc414fd

SHA1
6dca15a031fed1c9fa1fd3ee6a8e038867bcf0d9

SHA256
e8a5928615a1a8f7abfc097bd4695002b5e589943fc97e4e0f4efcd8a6fc9323

SHA512
fd8e7bbe36f3ebfb0b7fc19257194653f93668d758e1d53befd39d576850a03b5994b815c9887a68e18033f03b71c8f2d9ce80d19604aeeea57742d0a67905cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d83b8649686c4b8469562c81b89fa9ff

SHA1
2afb068ea32e289a23586cf8fa39abfdbd0d4606

SHA256
c6e8460558ca5a8895c51a4fe31ee425911f031444d2c2a5f577f624a5f9d92b

SHA512
efdf86e869fc45495f3d1957dd4047a8c122031d49df834e664094c1284b2f3c6b867b243925b8396123979636c9ceb0f22d4a484662aa8ac3e1800b9f33cba9

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/892-67-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/892-56-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1016-460-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/1104-400-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/1240-101-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download
memory/1564-280-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/2312-698-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2444-13-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/2444-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2444-15-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2444-17-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2444-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2508-220-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/2692-638-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2728-160-0x0000000000EF0000-0x0000000001000000-memory.dmp

Filesize
1.1MB

Download
memory/2820-340-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download