dcrat | 0f4d4e86b7b023de4253b1d34624f16b790f03d412233e3ed45a09021d1eb6eb

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0f4d4e86b7b023de4253b1d34624f16b790f03d412233e3ed45a09021d1eb6eb.exe
Size

1.3MB
MD5

ea52cd03211558626da6ca5781a7e417
SHA1

3772d094d98a825aea5487e2a8d37099ea250367
SHA256

0f4d4e86b7b023de4253b1d34624f16b790f03d412233e3ed45a09021d1eb6eb
SHA512

4baf9e9dbcd6366bd916ff633d2ef0793bb94dbd4b0b2601bf5eb27707ca453a1893d38dee576000cb58c62b556701753d5e487cc03e4d98b25158fa8146c0dd
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1980	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016458-9.dat	dcrat
behavioral1/memory/2660-13-0x00000000009B0000-0x0000000000AC0000-memory.dmp	dcrat
behavioral1/memory/2020-57-0x0000000001180000-0x0000000001290000-memory.dmp	dcrat
behavioral1/memory/1940-335-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/1292-396-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/memory/1840-456-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/2296-517-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2104	powershell.exe
1256	powershell.exe
2540	powershell.exe
2308	powershell.exe
684	powershell.exe
1316	powershell.exe
2264	powershell.exe
2548	powershell.exe
2464	powershell.exe
740	powershell.exe
928	powershell.exe
1304	powershell.exe
812	powershell.exe
2220	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2660	DllCommonsvc.exe
2020	explorer.exe
1184	explorer.exe
676	explorer.exe
1040	explorer.exe
1940	explorer.exe
1292	explorer.exe
1840	explorer.exe
2296	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2672	cmd.exe
2672	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
12	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\Templates\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\it-IT\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\it-IT\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\Templates\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\debug\WIA\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\debug\WIA\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0f4d4e86b7b023de4253b1d34624f16b790f03d412233e3ed45a09021d1eb6eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1300	schtasks.exe
1908	schtasks.exe
2536	schtasks.exe
1660	schtasks.exe
1264	schtasks.exe
264	schtasks.exe
2376	schtasks.exe
1924	schtasks.exe
1572	schtasks.exe
676	schtasks.exe
536	schtasks.exe
2380	schtasks.exe
1272	schtasks.exe
2972	schtasks.exe
1672	schtasks.exe
2892	schtasks.exe
1668	schtasks.exe
1692	schtasks.exe
1764	schtasks.exe
2232	schtasks.exe
2140	schtasks.exe
1236	schtasks.exe
2928	schtasks.exe
2076	schtasks.exe
2576	schtasks.exe
1072	schtasks.exe
2024	schtasks.exe
2268	schtasks.exe
528	schtasks.exe
2384	schtasks.exe
2092	schtasks.exe
1780	schtasks.exe
2176	schtasks.exe
1928	schtasks.exe
2284	schtasks.exe
2072	schtasks.exe
1328	schtasks.exe
2956	schtasks.exe
2144	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
2264	powershell.exe
1256	powershell.exe
2020	explorer.exe
2464	powershell.exe
928	powershell.exe
2540	powershell.exe
2548	powershell.exe
812	powershell.exe
2104	powershell.exe
684	powershell.exe
1304	powershell.exe
2220	powershell.exe
1316	powershell.exe
740	powershell.exe
2308	powershell.exe
1184	explorer.exe
676	explorer.exe
1040	explorer.exe
1940	explorer.exe
1292	explorer.exe
1840	explorer.exe
2296	explorer.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	DllCommonsvc.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2020	explorer.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1184	explorer.exe
Token: SeDebugPrivilege	676	explorer.exe
Token: SeDebugPrivilege	1040	explorer.exe
Token: SeDebugPrivilege	1940	explorer.exe
Token: SeDebugPrivilege	1292	explorer.exe
Token: SeDebugPrivilege	1840	explorer.exe
Token: SeDebugPrivilege	2296	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2788	2776	JaffaCakes118_0f4d4e86b7b023de4253b1d34624f16b790f03d412233e3ed45a09021d1eb6eb.exe	30
PID 2776 wrote to memory of 2788	2776	JaffaCakes118_0f4d4e86b7b023de4253b1d34624f16b790f03d412233e3ed45a09021d1eb6eb.exe	30
PID 2776 wrote to memory of 2788	2776	JaffaCakes118_0f4d4e86b7b023de4253b1d34624f16b790f03d412233e3ed45a09021d1eb6eb.exe	30
PID 2776 wrote to memory of 2788	2776	JaffaCakes118_0f4d4e86b7b023de4253b1d34624f16b790f03d412233e3ed45a09021d1eb6eb.exe	30
PID 2788 wrote to memory of 2672	2788	WScript.exe	31
PID 2788 wrote to memory of 2672	2788	WScript.exe	31
PID 2788 wrote to memory of 2672	2788	WScript.exe	31
PID 2788 wrote to memory of 2672	2788	WScript.exe	31
PID 2672 wrote to memory of 2660	2672	cmd.exe	33
PID 2672 wrote to memory of 2660	2672	cmd.exe	33
PID 2672 wrote to memory of 2660	2672	cmd.exe	33
PID 2672 wrote to memory of 2660	2672	cmd.exe	33
PID 2660 wrote to memory of 2264	2660	DllCommonsvc.exe	74
PID 2660 wrote to memory of 2264	2660	DllCommonsvc.exe	74
PID 2660 wrote to memory of 2264	2660	DllCommonsvc.exe	74
PID 2660 wrote to memory of 928	2660	DllCommonsvc.exe	75
PID 2660 wrote to memory of 928	2660	DllCommonsvc.exe	75
PID 2660 wrote to memory of 928	2660	DllCommonsvc.exe	75
PID 2660 wrote to memory of 2540	2660	DllCommonsvc.exe	76
PID 2660 wrote to memory of 2540	2660	DllCommonsvc.exe	76
PID 2660 wrote to memory of 2540	2660	DllCommonsvc.exe	76
PID 2660 wrote to memory of 2548	2660	DllCommonsvc.exe	78
PID 2660 wrote to memory of 2548	2660	DllCommonsvc.exe	78
PID 2660 wrote to memory of 2548	2660	DllCommonsvc.exe	78
PID 2660 wrote to memory of 1304	2660	DllCommonsvc.exe	82
PID 2660 wrote to memory of 1304	2660	DllCommonsvc.exe	82
PID 2660 wrote to memory of 1304	2660	DllCommonsvc.exe	82
PID 2660 wrote to memory of 2104	2660	DllCommonsvc.exe	83
PID 2660 wrote to memory of 2104	2660	DllCommonsvc.exe	83
PID 2660 wrote to memory of 2104	2660	DllCommonsvc.exe	83
PID 2660 wrote to memory of 2464	2660	DllCommonsvc.exe	84
PID 2660 wrote to memory of 2464	2660	DllCommonsvc.exe	84
PID 2660 wrote to memory of 2464	2660	DllCommonsvc.exe	84
PID 2660 wrote to memory of 2308	2660	DllCommonsvc.exe	85
PID 2660 wrote to memory of 2308	2660	DllCommonsvc.exe	85
PID 2660 wrote to memory of 2308	2660	DllCommonsvc.exe	85
PID 2660 wrote to memory of 812	2660	DllCommonsvc.exe	87
PID 2660 wrote to memory of 812	2660	DllCommonsvc.exe	87
PID 2660 wrote to memory of 812	2660	DllCommonsvc.exe	87
PID 2660 wrote to memory of 2220	2660	DllCommonsvc.exe	88
PID 2660 wrote to memory of 2220	2660	DllCommonsvc.exe	88
PID 2660 wrote to memory of 2220	2660	DllCommonsvc.exe	88
PID 2660 wrote to memory of 684	2660	DllCommonsvc.exe	89
PID 2660 wrote to memory of 684	2660	DllCommonsvc.exe	89
PID 2660 wrote to memory of 684	2660	DllCommonsvc.exe	89
PID 2660 wrote to memory of 1256	2660	DllCommonsvc.exe	91
PID 2660 wrote to memory of 1256	2660	DllCommonsvc.exe	91
PID 2660 wrote to memory of 1256	2660	DllCommonsvc.exe	91
PID 2660 wrote to memory of 1316	2660	DllCommonsvc.exe	92
PID 2660 wrote to memory of 1316	2660	DllCommonsvc.exe	92
PID 2660 wrote to memory of 1316	2660	DllCommonsvc.exe	92
PID 2660 wrote to memory of 740	2660	DllCommonsvc.exe	93
PID 2660 wrote to memory of 740	2660	DllCommonsvc.exe	93
PID 2660 wrote to memory of 740	2660	DllCommonsvc.exe	93
PID 2660 wrote to memory of 2020	2660	DllCommonsvc.exe	102
PID 2660 wrote to memory of 2020	2660	DllCommonsvc.exe	102
PID 2660 wrote to memory of 2020	2660	DllCommonsvc.exe	102
PID 2020 wrote to memory of 1640	2020	explorer.exe	103
PID 2020 wrote to memory of 1640	2020	explorer.exe	103
PID 2020 wrote to memory of 1640	2020	explorer.exe	103
PID 1640 wrote to memory of 3036	1640	cmd.exe	105
PID 1640 wrote to memory of 3036	1640	cmd.exe	105
PID 1640 wrote to memory of 3036	1640	cmd.exe	105
PID 1640 wrote to memory of 1184	1640	cmd.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f4d4e86b7b023de4253b1d34624f16b790f03d412233e3ed45a09021d1eb6eb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0f4d4e86b7b023de4253b1d34624f16b790f03d412233e3ed45a09021d1eb6eb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\Templates\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\it-IT\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
    - - C:\Program Files (x86)\Windows NT\explorer.exe
        
        "C:\Program Files (x86)\Windows NT\explorer.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3036
        
        C:\Program Files (x86)\Windows NT\explorer.exe
        
        "C:\Program Files (x86)\Windows NT\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat"
        8⤵
        
        PID:1772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2228
        
        C:\Program Files (x86)\Windows NT\explorer.exe
        
        "C:\Program Files (x86)\Windows NT\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat"
        10⤵
        
        PID:812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2364
        
        C:\Program Files (x86)\Windows NT\explorer.exe
        
        "C:\Program Files (x86)\Windows NT\explorer.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"
        12⤵
        
        PID:1140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2936
        
        C:\Program Files (x86)\Windows NT\explorer.exe
        
        "C:\Program Files (x86)\Windows NT\explorer.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"
        14⤵
        
        PID:2812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1772
        
        C:\Program Files (x86)\Windows NT\explorer.exe
        
        "C:\Program Files (x86)\Windows NT\explorer.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"
        16⤵
        
        PID:2196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1500
        
        C:\Program Files (x86)\Windows NT\explorer.exe
        
        "C:\Program Files (x86)\Windows NT\explorer.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"
        18⤵
        
        PID:860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2796
        
        C:\Program Files (x86)\Windows NT\explorer.exe
        
        "C:\Program Files (x86)\Windows NT\explorer.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat"
        20⤵
        
        PID:1184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\Templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\WIA\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\debug\WIA\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\WIA\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3eaa3127bf44267c499cbdcc9e4cfa51

SHA1
1f3505bba927565c3a3b753efe8f188c5e7f9cc2

SHA256
9381eb3eaa86e3b82161a16b867a6cd7ac1eab4c276516f9502b578e8c304774

SHA512
ae99f0b3a44981e906424daa5b4e517cc19885aad1e01431388c28e15c10e78653165f91b75cf22a87febb49b030ea16351ff6bfafb49b9cc851a8560db5d3fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
387dee89bd85c0f9f61411d373821411

SHA1
b972de0a6e170a52d2068e2c8f3360b492523d75

SHA256
ab7a7302668ff6308f09a496b1df285c1c13a5dfc5066a1b2b2fb2ed3f89b56b

SHA512
f14671bb14d64aeb63e14c998550b095f48046c93eabc58a870fc42d79f412cd336c98a942c4186d8b25aa5642f859a992be0dfee248b8959dd4c4fa40274cd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2cbe66993279efe2ce7ca53de637c25

SHA1
8662271e744d35c6a048f8681fd9b2849913ffe3

SHA256
15b0a6729a549ea45600012518341f6dbd23aadd6157a2716f47cf62a6c0060a

SHA512
0590e2961a735422bf90fe066350c99d6089faf479d2d8a2c5a66e5a26f67236268390c4a9261689264a9f7edefb8f28d9f6a2114ed5c6e55cec3396b5b3bc65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43be1c90308cdb467f856795369460d8

SHA1
267efd564621da665e1f9908fc2f93a998a4f066

SHA256
17866271c76e5fa7d93ff0397056a3952e638a2043ec3ed64572745007b0795b

SHA512
9a8c1f0fe4525e086f270075093de64694bf51042f9eb7daf3bacc09abd9c5f30b5991794e8d77b9d17de050f9f5c2a4483f592345ee7be10554eae3b48d2877

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21c2a61f0d5ad0207c826aff16e5942a

SHA1
35ea2810bdb0fb78aef2759db3c6b4d68bf5cb31

SHA256
70c56888f1bf070a6dc2f31d7a87c91be992fb736d14f6547b6cf8521ef92d6a

SHA512
daba4b11d07f307647530ef9ce3c5cd44dff4b81c5e15c904e98635baae779c090ae9c38a84898847d3861fcc975425bcd00d4567a880f143358ea4a16efb0f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9af33529fc823485db2eea283bb8b6af

SHA1
4d40319f112d5b3fd3755dd4cb7d5025a7a4989c

SHA256
d088491c3526d3f78ac15cfc32e886e6be335df89873b77cecdf87ab269cf972

SHA512
8d2af3e263cd4ab369a22d93a50a4a59b6954dc8e1e1dba53a20565da9ade0e4944e507a88f2a55ab7050c550c907ab9342735a4d2a72d24c0fd7ff95e1ebc5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a46f17dc1dc08de4429a16fea7120a0c

SHA1
f57d215fc448b76f9064a0fa95a8d6c41777c49b

SHA256
66976ffa86f63398e19daa9f1319d6d07559943f929da767cb67f8638b32131a

SHA512
726b426cbd6a96c8cb92e3b7249973232445aaeaf5b5ac48b03ddebe2f464911202782a53803130afc3a1abd832cd3eab805ad0474cc40d1553680a16d6d79a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat

Filesize
211B

MD5
6fa345d8bd95cc7bb360243ed7739ce9

SHA1
9dee8c49bcc49d6f86777aae2b9f9a24e514f8e3

SHA256
7e2bd2909f23dd3b1db62d138d7439e0d435ba55260024d42f00edf9c77deaf6

SHA512
ccd167edfd9ff6e555768db7d2c1672f04a39fdc83bb250f10b01619b45cbbfa3cd7db2803d883088838a4ae298b92cf1acdf1325030a8fe881564f6c00817ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat

Filesize
211B

MD5
9f0584f99c1604d69ccdc541276047a1

SHA1
3420fb2e9879d130dc0ff45cda8c060098de2c34

SHA256
0cd02930cc588a0d7c68dabc2e6cd6b7a5fb4443a2644230343c84913f959f44

SHA512
504b447e58140b268339b943191fc18f6ad1bc000978fcb5d4bf0b996768c9eb247fa4b3078fa2e447afa863853c1c51711fae7275bac4f381fb9b944f4de26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA3D0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat

Filesize
211B

MD5
d2cea25dd0f7dbb0ad0d5bc5339cd64a

SHA1
ee90c9a3b44025df19b2d87cc3bd2aa8c39a10e7

SHA256
576cccb5975b842ecc6af95db5d0a53c391481fc4b63a74aece6fbdee25c3626

SHA512
9315ae612a13f0b845aa147e4d61fcb10af7e539deb4beb1038fa4ce3bf10895908f19ad8fc64019074f0046cd0e3f4651df0c49bc0acb490d12df9bf21b24bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat

Filesize
211B

MD5
5a49a399e73253fb1795860751caa845

SHA1
f3529760dd46e9a3a95c06fd2b24ae49172f83a3

SHA256
89dee0f6bd36ca03ad9092e6cb4904624789c2f036d3acb5c8a22986376435c2

SHA512
f2e79a5089dbab527bcd966572dc39a06afe0ec4d81de814c91332e240bdb0305340669a824711cab900ed9b9701a692f6a4922b9f6915a6fbf3307716fae1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA402.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat

Filesize
211B

MD5
31150895a7514600b35089cee0c88c36

SHA1
3ea2d492c200ddc7ec5bb0a5a26b3a88941481a1

SHA256
954f9b2313ba81b4b7103102762315b20d293807a99162941c16b3b611ab3420

SHA512
d0e863aa55dfcf0f898bb80418b0f32969e5fde31ef55450ef252d7501691468a200b78efc50142c887ec84ec64d99e3ac0da1436c720e4e79c0f2554d71ced2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat

Filesize
211B

MD5
edc48c0432bd3ac508ce9a03c1af2d79

SHA1
d4388643f48fedd12a73999bb6763aa15ee87d9e

SHA256
3973ca909bf16f1722ee423e010ea60ea90cb2b178f710d23d296e2629254a0c

SHA512
a02346ccd08fb6146c2c079e1e38a2c2d277dab2c42ef43d8bef1d59f57f56322bb4c37726e8885736fcd3e9d1605ea33acd900b94596920a294cd2c58a4e24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat

Filesize
211B

MD5
bcbb476bd4eaf4598f66f10f34e8cb9f

SHA1
0d831064335bb886b5abfbad76413e330fe9d332

SHA256
8dcd99357963bbfd8e24d1e548b0fe50bf2a52ad0747bfa982b332f5461e2a3f

SHA512
6652160cdbac08c7d6c58f9251ccd026edb58e3c9db80650f6ea9397db4f81729db1efbd360c70a2bd2d68597f0c8c37f40911d3bf7c6b65a186bdfb483e8a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat

Filesize
211B

MD5
d97b75911c2a844bfb939935a7f3da53

SHA1
f558de834c34e134136a1ac5aba12c36760fc3f2

SHA256
496fe34373bc5b226d25fa2b1d30cf13cfbac981d6d33502583d3705f9a849fb

SHA512
5c006d522df127e71a45fe661fa5fac7d57c9d90440ddc9ddea0343cefb9652fc6ad0e17debad0d0961f2f4124f5170254c7de08ded007f10f8ffcf537218829

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
69b12839fffcd7c06bdf06fee001a8cd

SHA1
bb6cc0bf859c564482fd7589c48a8130aae78bda

SHA256
11d9aa0204ffb1936ca7930d12d3123b4169bf6c38f53899978688f59cff8121

SHA512
e0a6dba3e1d223eca1a97f578f736e7a961ff4287f7fd6065e496c747ba0c3021b29660a7b8afef24842df46204291e75e8ae788ddaa24409c9a6806c3e9400a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1184-157-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/1292-396-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/1840-456-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/1840-457-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/1940-336-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1940-335-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2020-68-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2020-57-0x0000000001180000-0x0000000001290000-memory.dmp

Filesize
1.1MB

Download
memory/2264-51-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2264-50-0x000000001B0C0000-0x000000001B3A2000-memory.dmp

Filesize
2.9MB

Download
memory/2296-517-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download
memory/2296-518-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2660-17-0x00000000009A0000-0x00000000009AC000-memory.dmp

Filesize
48KB

Download
memory/2660-15-0x0000000001F40000-0x0000000001F4C000-memory.dmp

Filesize
48KB

Download
memory/2660-16-0x0000000000990000-0x000000000099C000-memory.dmp

Filesize
48KB

Download
memory/2660-14-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2660-13-0x00000000009B0000-0x0000000000AC0000-memory.dmp

Filesize
1.1MB

Download