dcrat | 0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e.exe
Size

1.3MB
MD5

13d857df1e0216ee214c877230784f86
SHA1

ecf641be074dd244917f7c2ef4752ceaf6dbffa9
SHA256

0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e
SHA512

5febaf522ae186d9337d7fa535500757f8631513d03707e797d8f87d94d83c1c7063e92aaa1b155e2242a4fdb711d56565ee1eda7846321842512bbd06ec653c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2920	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000193d9-9.dat	dcrat
behavioral1/memory/2636-13-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/2188-77-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2748-164-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/1052-523-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/1788-583-0x0000000001090000-0x00000000011A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1440	powershell.exe
1036	powershell.exe
2336	powershell.exe
2444	powershell.exe
3040	powershell.exe
1560	powershell.exe
1956	powershell.exe
2276	powershell.exe
1812	powershell.exe
2136	powershell.exe
1332	powershell.exe
1548	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2636	DllCommonsvc.exe
2188	lsass.exe
2748	lsass.exe
2500	lsass.exe
2516	lsass.exe
616	lsass.exe
2420	lsass.exe
1676	lsass.exe
1052	lsass.exe
1788	lsass.exe
1984	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2816	cmd.exe
2816	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\it-IT\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\101b941d020240	DllCommonsvc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\L2Schemas\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\101b941d020240	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2596	schtasks.exe
400	schtasks.exe
1204	schtasks.exe
2868	schtasks.exe
2116	schtasks.exe
864	schtasks.exe
1472	schtasks.exe
816	schtasks.exe
1316	schtasks.exe
1700	schtasks.exe
1656	schtasks.exe
868	schtasks.exe
1484	schtasks.exe
1000	schtasks.exe
2180	schtasks.exe
3036	schtasks.exe
1684	schtasks.exe
988	schtasks.exe
652	schtasks.exe
1112	schtasks.exe
484	schtasks.exe
1612	schtasks.exe
2856	schtasks.exe
2392	schtasks.exe
2388	schtasks.exe
1640	schtasks.exe
2992	schtasks.exe
2456	schtasks.exe
768	schtasks.exe
576	schtasks.exe
1352	schtasks.exe
2324	schtasks.exe
2384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2636	DllCommonsvc.exe
2636	DllCommonsvc.exe
2636	DllCommonsvc.exe
2636	DllCommonsvc.exe
2636	DllCommonsvc.exe
1560	powershell.exe
1812	powershell.exe
1036	powershell.exe
3040	powershell.exe
2276	powershell.exe
1332	powershell.exe
2188	lsass.exe
1956	powershell.exe
1548	powershell.exe
1440	powershell.exe
2336	powershell.exe
2136	powershell.exe
2444	powershell.exe
2748	lsass.exe
2500	lsass.exe
2516	lsass.exe
616	lsass.exe
2420	lsass.exe
1676	lsass.exe
1052	lsass.exe
1788	lsass.exe
1984	lsass.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	DllCommonsvc.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	2188	lsass.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2748	lsass.exe
Token: SeDebugPrivilege	2500	lsass.exe
Token: SeDebugPrivilege	2516	lsass.exe
Token: SeDebugPrivilege	616	lsass.exe
Token: SeDebugPrivilege	2420	lsass.exe
Token: SeDebugPrivilege	1676	lsass.exe
Token: SeDebugPrivilege	1052	lsass.exe
Token: SeDebugPrivilege	1788	lsass.exe
Token: SeDebugPrivilege	1984	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2736	3012	JaffaCakes118_0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e.exe	30
PID 3012 wrote to memory of 2736	3012	JaffaCakes118_0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e.exe	30
PID 3012 wrote to memory of 2736	3012	JaffaCakes118_0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e.exe	30
PID 3012 wrote to memory of 2736	3012	JaffaCakes118_0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e.exe	30
PID 2736 wrote to memory of 2816	2736	WScript.exe	31
PID 2736 wrote to memory of 2816	2736	WScript.exe	31
PID 2736 wrote to memory of 2816	2736	WScript.exe	31
PID 2736 wrote to memory of 2816	2736	WScript.exe	31
PID 2816 wrote to memory of 2636	2816	cmd.exe	33
PID 2816 wrote to memory of 2636	2816	cmd.exe	33
PID 2816 wrote to memory of 2636	2816	cmd.exe	33
PID 2816 wrote to memory of 2636	2816	cmd.exe	33
PID 2636 wrote to memory of 2276	2636	DllCommonsvc.exe	68
PID 2636 wrote to memory of 2276	2636	DllCommonsvc.exe	68
PID 2636 wrote to memory of 2276	2636	DllCommonsvc.exe	68
PID 2636 wrote to memory of 2336	2636	DllCommonsvc.exe	69
PID 2636 wrote to memory of 2336	2636	DllCommonsvc.exe	69
PID 2636 wrote to memory of 2336	2636	DllCommonsvc.exe	69
PID 2636 wrote to memory of 1332	2636	DllCommonsvc.exe	70
PID 2636 wrote to memory of 1332	2636	DllCommonsvc.exe	70
PID 2636 wrote to memory of 1332	2636	DllCommonsvc.exe	70
PID 2636 wrote to memory of 3040	2636	DllCommonsvc.exe	71
PID 2636 wrote to memory of 3040	2636	DllCommonsvc.exe	71
PID 2636 wrote to memory of 3040	2636	DllCommonsvc.exe	71
PID 2636 wrote to memory of 2444	2636	DllCommonsvc.exe	72
PID 2636 wrote to memory of 2444	2636	DllCommonsvc.exe	72
PID 2636 wrote to memory of 2444	2636	DllCommonsvc.exe	72
PID 2636 wrote to memory of 1812	2636	DllCommonsvc.exe	74
PID 2636 wrote to memory of 1812	2636	DllCommonsvc.exe	74
PID 2636 wrote to memory of 1812	2636	DllCommonsvc.exe	74
PID 2636 wrote to memory of 2136	2636	DllCommonsvc.exe	76
PID 2636 wrote to memory of 2136	2636	DllCommonsvc.exe	76
PID 2636 wrote to memory of 2136	2636	DllCommonsvc.exe	76
PID 2636 wrote to memory of 1560	2636	DllCommonsvc.exe	77
PID 2636 wrote to memory of 1560	2636	DllCommonsvc.exe	77
PID 2636 wrote to memory of 1560	2636	DllCommonsvc.exe	77
PID 2636 wrote to memory of 1956	2636	DllCommonsvc.exe	78
PID 2636 wrote to memory of 1956	2636	DllCommonsvc.exe	78
PID 2636 wrote to memory of 1956	2636	DllCommonsvc.exe	78
PID 2636 wrote to memory of 1548	2636	DllCommonsvc.exe	79
PID 2636 wrote to memory of 1548	2636	DllCommonsvc.exe	79
PID 2636 wrote to memory of 1548	2636	DllCommonsvc.exe	79
PID 2636 wrote to memory of 1440	2636	DllCommonsvc.exe	80
PID 2636 wrote to memory of 1440	2636	DllCommonsvc.exe	80
PID 2636 wrote to memory of 1440	2636	DllCommonsvc.exe	80
PID 2636 wrote to memory of 1036	2636	DllCommonsvc.exe	81
PID 2636 wrote to memory of 1036	2636	DllCommonsvc.exe	81
PID 2636 wrote to memory of 1036	2636	DllCommonsvc.exe	81
PID 2636 wrote to memory of 2188	2636	DllCommonsvc.exe	91
PID 2636 wrote to memory of 2188	2636	DllCommonsvc.exe	91
PID 2636 wrote to memory of 2188	2636	DllCommonsvc.exe	91
PID 2188 wrote to memory of 1716	2188	lsass.exe	93
PID 2188 wrote to memory of 1716	2188	lsass.exe	93
PID 2188 wrote to memory of 1716	2188	lsass.exe	93
PID 1716 wrote to memory of 2324	1716	cmd.exe	95
PID 1716 wrote to memory of 2324	1716	cmd.exe	95
PID 1716 wrote to memory of 2324	1716	cmd.exe	95
PID 1716 wrote to memory of 2748	1716	cmd.exe	96
PID 1716 wrote to memory of 2748	1716	cmd.exe	96
PID 1716 wrote to memory of 2748	1716	cmd.exe	96
PID 2748 wrote to memory of 2568	2748	lsass.exe	97
PID 2748 wrote to memory of 2568	2748	lsass.exe	97
PID 2748 wrote to memory of 2568	2748	lsass.exe	97
PID 2568 wrote to memory of 1600	2568	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Updater6\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
    - - C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe
        
        "C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2324
        
        C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe
        
        "C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1600
        
        C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe
        
        "C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat"
        10⤵
        
        PID:1504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3044
        
        C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe
        
        "C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
        12⤵
        
        PID:1148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2548
        
        C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe
        
        "C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat"
        14⤵
        
        PID:1484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1192
        
        C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe
        
        "C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"
        16⤵
        
        PID:1752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1956
        
        C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe
        
        "C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat"
        18⤵
        
        PID:2312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2816
        
        C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe
        
        "C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat"
        20⤵
        
        PID:1204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2452
        
        C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe
        
        "C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat"
        22⤵
        
        PID:1432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1028
        
        C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe
        
        "C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\RemotePackages\RemoteApps\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\RemotePackages\RemoteApps\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90f90ded3055486b971bfc97c10851db

SHA1
e95fcf7fb4d48f82ea34fa19bea316fa5f364451

SHA256
e2bca15550940d0c1112e47d2e93e354c2a7072fb143f5eec15e7686f2bd2672

SHA512
852f159ed1c9620a7e0f06521550797507802a3d55edfa9c8c4b199583ebb6b32a68bbf58664454e450ac638c1f57d08cbdbe6e0766c350e13cd692b15fd3ae4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
478b9af99939ff32a6b6057db158fee6

SHA1
36c5aedbcc44bfea947753b3b0b8116f0f033581

SHA256
dff6f8bc31f60db79b2e473f9f476ae569bf98a19371c6ddb2e2264445bff445

SHA512
deaa8c2cebbcd76a7b2b723aebb622e720af2005e7cfc4d8f21df4a30a6a9c71e4c0d22ae27b993183ecc00e6c1c9d1067ed275a76f3ef19f57c71b1076167a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1c13546ca43820da7e3a1fc0690ed70

SHA1
3899f5b1f856c532ae1b11e8dd88248c4c6d3f47

SHA256
27824bf0db5ce9a9aec2419dcfd171684970cc2ef6194a69289fd298a1e8f3ce

SHA512
f07100f76edde41445dd1d63e9f87c63cce091cdbca9166e840568e77121c4f4bf262113a3f8557d6f931df6992bbbc3c1122afbc9ea0a5c9f35efbc2cd4ace2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86cbd60b35c23b9ad79823f884c41e6b

SHA1
f408daa6148dd62f26cf2193f9df6cce44e13d24

SHA256
4635dc647f7c4c081e1841436ce0e82e682a3875d76d29b6b940ef3b117304fe

SHA512
2ba8ac7008a7c0a5682aeec65b5f88d2e72350c382c478c835ecfa8ba205f4a74391e0e6dd4da4f06f3a888030ecbceb9db114b0d1dedac8598face83be34f00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6abdbdc8972bcf9aef781de79faf216e

SHA1
cf035748d0fccb283cf5bb659ca4f3be2d4ab99c

SHA256
8b5d4ec64f3ea6768c288a6a1ce7d66ca6885a2a85defd3f390209428d7e3012

SHA512
adc5a5a1df8c713f4d9b4933e0786173e4cba44f432ccbad8c9256ef1af36f2b9b67d273c4d7fa4ef48e5d2ed27dd339428740e98c943fa8e3479671f2e23534

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
464e8501c4d5e5e44b124e63c3dc5b1c

SHA1
cb05c4b8c36dcd1a8e5ce147c22fb80d53e3913d

SHA256
842ae42b029a96d86907d058a1202a63a15736bc6a5ee6b264a773eb3427adcd

SHA512
dffc5f7c3b42d24dc823531be583a0b1640466208780a847a37977144a3dda95b6b37996e1c0421d563a3933300797b3d47e26c9bba0f42eea6cfe6ff49af4a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2820479dcd9cb04f60bffe9e395677c0

SHA1
02b19dda86ed7faebb7f83f1d3ff5ded2763400a

SHA256
90f374946eb875a26b59d129ae6445381d1b15665cf479e22ee74164f31b9bd8

SHA512
9a6ad5c73279c692988c76cd24619330a90c11592ed75621657346b6abdb36a6e59f06437e06c2d43caa9600193695fcdf15e080d6052845f1ebca6f66a3bf09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8e977c4ebde02f262de2f6825a788c3

SHA1
82169d2b549fc854ed7852f1545bb4eb12ab77d4

SHA256
99132cc9670b3b5627fa70e7268f4f97a6b4ac48c3453afd8a427ac69b986d28

SHA512
bf680de3dfba0da6fcbb02dee7f0ef6bc854c02970ab202a195f88ee5cc5549c2d7ad82c6ae322c44e40afdb95fae3ed2b5599d9f83221c7d33126f920953bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat

Filesize
220B

MD5
1cc1b12297cbda2c8e845b47d9c9801a

SHA1
89fb178835778882ae00705eb9a6cff0190dcbdf

SHA256
8744d69da54e79d3b786dc5afd01aee9ff1dcf72188a93903f0c9bf9383bf262

SHA512
90b64e4bedc66ee987e3b91c8d9f82b92dce7433e115753c491160b2a998b3aa8820eeabc580040a264f30161aca0f709cb1ca55d181557d9e4e4b13df0a01cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab427E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat

Filesize
220B

MD5
36f8c5275f048ce620e5f9f30b5118ef

SHA1
387ea6bb3edc67dd799988414ace8443fe3cfda8

SHA256
7f55f99677af87aa9b6fe6917c9e2870d365e5547eee4d111799b9db36d7c8ad

SHA512
67bde01be95638b1823e9ed420f94cc5eea8e81929ff2c7f6cf5cdace141541d5522ae151816a7d165a613c078d44c234e755d1cc35461d201cd2491202d407a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat

Filesize
220B

MD5
408b2d5cdaa160cc0c53d10ee4792d54

SHA1
334d44a90e37c31ccc13fc5ebb8a16fb6fb3151a

SHA256
af82b0c005f9c5264c084341e5131c1563601790aa1c333abb9ef4670fe37a49

SHA512
458fbf9d213a644e1e536892379999d4cf12983606c3059ab89af274b9c932a0b09ce1d4f8d2a22e8eddc1cf419580df487c1f1d352c6850d92be91bcd871767

Download Submit
C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

Filesize
220B

MD5
a111cb65622f3fffc88bda3a67caa2cb

SHA1
1847d85c50215652d6b82f6998302028cfa4191d

SHA256
860f12a5dc6d016a61d34be411686420eb6332b4c7d8bc4ab2af21fb823e3b59

SHA512
9f66e413fb777f621135ba6aefec111ddc53e4881f636fecfce66a783e4408f236c00287980fc9d8c2d6148923422170a76b7e9d33e36130e7e90ac8b7316234

Download Submit
C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat

Filesize
220B

MD5
18ce9e7117309053f05b7248fccee25f

SHA1
4ed3adbc9113212eaf29e541d97413d6c23951d4

SHA256
85b6596e70024bb0ab138a9a952baf512a4d507e85c46b7a6ac66d26120c61f5

SHA512
12ec5ed71c7ce72ce349094ff61ff245cbda49e02dfb29a29cc18fb3f724732939a00b5940277b14b33e5f8a41bcaff6e52f4592b113f737dc48055baf336624

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4291.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat

Filesize
220B

MD5
d145aa1bb216a085ad5cb7b74d17a4db

SHA1
14655737d6e03589723119b9c1e3abfbfd075aeb

SHA256
b12bc69ddc972d00398a19d349481ac2855683c6af427304871957726020e9fd

SHA512
34de9caaf7d4be14c8170fa4b07e1f2a990ae2f187b4fbd9653b8cf8b9b299044e6d26ef0abff502cb5545f945c273ef44658b8045ddeabfe04464d3d6570eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat

Filesize
220B

MD5
e8c5865d6547ae9459ea791febeabf04

SHA1
edffb3c065095bac1c49fb274e40902108a918fd

SHA256
25069f485dadf2bdd0865935a5fbb4c9b7b1eae0699b65bfbf34a6538a10565a

SHA512
0d844e3b024c4851dcf5ee4b4a1c9fc7e192dff121fa0d1f1a2a96148bb35b88e105d7cb84a6851146e5de9c59f7cd60d1373029bb29eb3bcb9714915a0626c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat

Filesize
220B

MD5
c06e9ee93170815e4ebc612d7340357a

SHA1
323f307162e1819472ce786ecb888eb1c9b33d03

SHA256
8b32918046568011529e539ae63b7720b527739a04f44a06b5f3008e8952dd4d

SHA512
61428694b91f883a876e152e03cf09c64a77e48c88e5d57ed6b475850ab23e15823cdacde7236ca59e4a990a69761c98b42ea1e3da4b3cf69d6a51798d50525a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat

Filesize
220B

MD5
0ae4bdf476d418e9aea28374083cdc3a

SHA1
9ba95e72bc766419e6bd4264f4ef18975b277de3

SHA256
fcdee6452f304172adcf14d1eba7b2311a2926e9110d0b3c1f473cc1f731f012

SHA512
a46a47c2672c32230607d001a307f99ce10ce7150490c8b0261b8924282744854a6a31ab21352e2dd0e80ccfe33acb174c59c48feaeef5dddd3749f8de5ee64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
11da1fae17c789fe5d096de62d0c5a44

SHA1
5620f57fea6bc0bdfe3b1676c86d448b849f0ba5

SHA256
656cd8e0a22c6a9ee98c88134726795e4bbc67b0a4cef7874ed949778d17475b

SHA512
68ddff17a033a87f86fca1f690b7b3ed7dc81fc81390d128d9b261365dc22884ea677a8b796ed6cf2b145c41d18398e134da1cb75a7e03423493481afd364efa

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/616-345-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/1052-523-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/1560-75-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/1788-583-0x0000000001090000-0x00000000011A0000-memory.dmp

Filesize
1.1MB

Download
memory/2188-78-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2188-77-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2276-59-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2500-225-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/2516-285-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2636-14-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2636-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2636-15-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2636-13-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/2636-17-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2748-165-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2748-164-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download