dcrat | aac02c9dfadc6ed9f7431ead74d36c60110a0b24de36865406d772023c8c4fe1

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_aac02c9dfadc6ed9f7431ead74d36c60110a0b24de36865406d772023c8c4fe1.exe
Size

1.3MB
MD5

12f338e54a19a37dfcf60b9271e8dcb1
SHA1

b9e07ec838ed1b1454cdcf2f0493ce3a7a633085
SHA256

aac02c9dfadc6ed9f7431ead74d36c60110a0b24de36865406d772023c8c4fe1
SHA512

969c43e5ef4e073f0ffc07524bfc292ab1a36ee012d0df92c89867d50be0c51234299470f86adc1687267728e0f6c579c1228523d23b2b192c746db460aab4ab
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2856	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016241-9.dat	dcrat
behavioral1/memory/2564-13-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/1892-50-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/1668-225-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/2632-285-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/2924-346-0x0000000001040000-0x0000000001150000-memory.dmp	dcrat
behavioral1/memory/1952-466-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/2736-527-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/2516-587-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/2876-647-0x0000000000F50000-0x0000000001060000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1272	powershell.exe
1488	powershell.exe
2016	powershell.exe
580	powershell.exe
1612	powershell.exe
2040	powershell.exe
1604	powershell.exe
544	powershell.exe
2152	powershell.exe
2020	powershell.exe
684	powershell.exe
2576	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2564	DllCommonsvc.exe
1892	services.exe
2340	services.exe
1668	services.exe
2632	services.exe
2924	services.exe
2652	services.exe
1952	services.exe
2736	services.exe
2516	services.exe
2876	services.exe
2676	services.exe
856	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2244	cmd.exe
2244	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
19	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
39	raw.githubusercontent.com
43	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\OSPPSVC.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logs\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\Logs\ebf1f9fa8afd6d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aac02c9dfadc6ed9f7431ead74d36c60110a0b24de36865406d772023c8c4fe1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1212	schtasks.exe
2836	schtasks.exe
2184	schtasks.exe
1288	schtasks.exe
2768	schtasks.exe
1468	schtasks.exe
2496	schtasks.exe
2112	schtasks.exe
816	schtasks.exe
2720	schtasks.exe
2324	schtasks.exe
3068	schtasks.exe
896	schtasks.exe
1968	schtasks.exe
1144	schtasks.exe
2352	schtasks.exe
1984	schtasks.exe
2308	schtasks.exe
2832	schtasks.exe
2620	schtasks.exe
2008	schtasks.exe
3048	schtasks.exe
2696	schtasks.exe
1248	schtasks.exe
2924	schtasks.exe
752	schtasks.exe
1464	schtasks.exe
1588	schtasks.exe
1116	schtasks.exe
2584	schtasks.exe
2680	schtasks.exe
568	schtasks.exe
2492	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2564	DllCommonsvc.exe
2564	DllCommonsvc.exe
2564	DllCommonsvc.exe
2564	DllCommonsvc.exe
2564	DllCommonsvc.exe
684	powershell.exe
1272	powershell.exe
2016	powershell.exe
1892	services.exe
580	powershell.exe
1612	powershell.exe
1604	powershell.exe
544	powershell.exe
2040	powershell.exe
2576	powershell.exe
2152	powershell.exe
1488	powershell.exe
2020	powershell.exe
2340	services.exe
1668	services.exe
2632	services.exe
2924	services.exe
2652	services.exe
1952	services.exe
2736	services.exe
2516	services.exe
2876	services.exe
2676	services.exe
856	services.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	DllCommonsvc.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	1892	services.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2340	services.exe
Token: SeDebugPrivilege	1668	services.exe
Token: SeDebugPrivilege	2632	services.exe
Token: SeDebugPrivilege	2924	services.exe
Token: SeDebugPrivilege	2652	services.exe
Token: SeDebugPrivilege	1952	services.exe
Token: SeDebugPrivilege	2736	services.exe
Token: SeDebugPrivilege	2516	services.exe
Token: SeDebugPrivilege	2876	services.exe
Token: SeDebugPrivilege	2676	services.exe
Token: SeDebugPrivilege	856	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2388	2100	JaffaCakes118_aac02c9dfadc6ed9f7431ead74d36c60110a0b24de36865406d772023c8c4fe1.exe	30
PID 2100 wrote to memory of 2388	2100	JaffaCakes118_aac02c9dfadc6ed9f7431ead74d36c60110a0b24de36865406d772023c8c4fe1.exe	30
PID 2100 wrote to memory of 2388	2100	JaffaCakes118_aac02c9dfadc6ed9f7431ead74d36c60110a0b24de36865406d772023c8c4fe1.exe	30
PID 2100 wrote to memory of 2388	2100	JaffaCakes118_aac02c9dfadc6ed9f7431ead74d36c60110a0b24de36865406d772023c8c4fe1.exe	30
PID 2388 wrote to memory of 2244	2388	WScript.exe	31
PID 2388 wrote to memory of 2244	2388	WScript.exe	31
PID 2388 wrote to memory of 2244	2388	WScript.exe	31
PID 2388 wrote to memory of 2244	2388	WScript.exe	31
PID 2244 wrote to memory of 2564	2244	cmd.exe	33
PID 2244 wrote to memory of 2564	2244	cmd.exe	33
PID 2244 wrote to memory of 2564	2244	cmd.exe	33
PID 2244 wrote to memory of 2564	2244	cmd.exe	33
PID 2564 wrote to memory of 1604	2564	DllCommonsvc.exe	68
PID 2564 wrote to memory of 1604	2564	DllCommonsvc.exe	68
PID 2564 wrote to memory of 1604	2564	DllCommonsvc.exe	68
PID 2564 wrote to memory of 544	2564	DllCommonsvc.exe	69
PID 2564 wrote to memory of 544	2564	DllCommonsvc.exe	69
PID 2564 wrote to memory of 544	2564	DllCommonsvc.exe	69
PID 2564 wrote to memory of 684	2564	DllCommonsvc.exe	70
PID 2564 wrote to memory of 684	2564	DllCommonsvc.exe	70
PID 2564 wrote to memory of 684	2564	DllCommonsvc.exe	70
PID 2564 wrote to memory of 2576	2564	DllCommonsvc.exe	71
PID 2564 wrote to memory of 2576	2564	DllCommonsvc.exe	71
PID 2564 wrote to memory of 2576	2564	DllCommonsvc.exe	71
PID 2564 wrote to memory of 1272	2564	DllCommonsvc.exe	72
PID 2564 wrote to memory of 1272	2564	DllCommonsvc.exe	72
PID 2564 wrote to memory of 1272	2564	DllCommonsvc.exe	72
PID 2564 wrote to memory of 1488	2564	DllCommonsvc.exe	73
PID 2564 wrote to memory of 1488	2564	DllCommonsvc.exe	73
PID 2564 wrote to memory of 1488	2564	DllCommonsvc.exe	73
PID 2564 wrote to memory of 2016	2564	DllCommonsvc.exe	74
PID 2564 wrote to memory of 2016	2564	DllCommonsvc.exe	74
PID 2564 wrote to memory of 2016	2564	DllCommonsvc.exe	74
PID 2564 wrote to memory of 2152	2564	DllCommonsvc.exe	75
PID 2564 wrote to memory of 2152	2564	DllCommonsvc.exe	75
PID 2564 wrote to memory of 2152	2564	DllCommonsvc.exe	75
PID 2564 wrote to memory of 2040	2564	DllCommonsvc.exe	76
PID 2564 wrote to memory of 2040	2564	DllCommonsvc.exe	76
PID 2564 wrote to memory of 2040	2564	DllCommonsvc.exe	76
PID 2564 wrote to memory of 2020	2564	DllCommonsvc.exe	78
PID 2564 wrote to memory of 2020	2564	DllCommonsvc.exe	78
PID 2564 wrote to memory of 2020	2564	DllCommonsvc.exe	78
PID 2564 wrote to memory of 1612	2564	DllCommonsvc.exe	80
PID 2564 wrote to memory of 1612	2564	DllCommonsvc.exe	80
PID 2564 wrote to memory of 1612	2564	DllCommonsvc.exe	80
PID 2564 wrote to memory of 580	2564	DllCommonsvc.exe	82
PID 2564 wrote to memory of 580	2564	DllCommonsvc.exe	82
PID 2564 wrote to memory of 580	2564	DllCommonsvc.exe	82
PID 2564 wrote to memory of 1892	2564	DllCommonsvc.exe	89
PID 2564 wrote to memory of 1892	2564	DllCommonsvc.exe	89
PID 2564 wrote to memory of 1892	2564	DllCommonsvc.exe	89
PID 1892 wrote to memory of 1248	1892	services.exe	94
PID 1892 wrote to memory of 1248	1892	services.exe	94
PID 1892 wrote to memory of 1248	1892	services.exe	94
PID 1248 wrote to memory of 1800	1248	cmd.exe	96
PID 1248 wrote to memory of 1800	1248	cmd.exe	96
PID 1248 wrote to memory of 1800	1248	cmd.exe	96
PID 1248 wrote to memory of 2340	1248	cmd.exe	97
PID 1248 wrote to memory of 2340	1248	cmd.exe	97
PID 1248 wrote to memory of 2340	1248	cmd.exe	97
PID 2340 wrote to memory of 2744	2340	services.exe	98
PID 2340 wrote to memory of 2744	2340	services.exe	98
PID 2340 wrote to memory of 2744	2340	services.exe	98
PID 2744 wrote to memory of 1724	2744	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aac02c9dfadc6ed9f7431ead74d36c60110a0b24de36865406d772023c8c4fe1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aac02c9dfadc6ed9f7431ead74d36c60110a0b24de36865406d772023c8c4fe1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\es-ES\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
    - - C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1892
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1800
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1724
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat"
        10⤵
        
        PID:2384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2444
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"
        12⤵
        
        PID:1484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1616
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat"
        14⤵
        
        PID:1900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2684
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
        16⤵
        
        PID:544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2792
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat"
        18⤵
        
        PID:1604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:320
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
        20⤵
        
        PID:2328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2776
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"
        22⤵
        
        PID:1052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:576
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat"
        24⤵
        
        PID:852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1540
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat"
        26⤵
        
        PID:1844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2036
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat"
        28⤵
        
        PID:2688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Application Data\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Application Data\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\Logs\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Logs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4dfd30db60dbca4cabb64aa6bf76cfe

SHA1
90e63b43739775ba0040fd479440dd78209ada50

SHA256
a8830980373cfc1af44f0d28baa36f921e5386b3d6b1d545e050cfccbf82055d

SHA512
5da4c1684f700e7673b4bf3775a5e35c799c816649c3a2be3bbce7fdd3737e5d76bdfbd9550d29e8dfd9bee608e6fc4c2a45ce27ba786e4920c9638c6f11f55f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10ee6a270fb74d624796063ca9097631

SHA1
d4daba2455209b3b44864a564a1ba71e80c492ad

SHA256
28b647079d37c833532968ad4e354c481a6aed0e40a2f95670d9fd2221f762fe

SHA512
824a8c5f877beef77bdc1ebbab67319453114cced8203d09703eee0b13ce1787ab5eff5ca05dc66928d814614ca7cb1bd14d75e96023a38853f4a13c9368e8b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb973f8810caf2cdd1735f791d006b27

SHA1
0e20b0c46d7ac7bee18abc16cf8a7589489a736c

SHA256
91b51309141807b25e16ac9b086f43f83e23ff58ec83d4229869cd6e4688b0aa

SHA512
89f01fbb0d9ea45e49edff7b086f2fa0d7af82b02591916dff32c008947300fba290d738c4c391aabbe21c8854f945089da9d5be183cd6eb214b0c15f57d1bb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
494a442792f9097dc141ea3d6d4d0ecc

SHA1
5b67428bbfdcd8b761a6e19807ed8e90eb5346a9

SHA256
2788fc5bf7c65c064bd600d05949ecc0478109808437fba6866bf9c7d61fd222

SHA512
34319c373dc0246b70ab638928aa3ffa50b579e6d704a312d4eb74e162728c0a177cf8a186e38d620f28cf293a55e3eb28b22d2088b90f0b8cfc039f47e3edba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ae425759cb59e0c233aeb57b980e6bb

SHA1
d045c905ac03d360b9cb7f4061a3ec5da42a975e

SHA256
54d1d5e48ae8632d953c7f08ba2c2a2f5e058bc59ab7210e8730889915d6e0b6

SHA512
b5ff7b623acb95d73109f93bf3b3fad350d14ae523156de6ae8aa4ce8ccd1e08782f6e59eb5959d58e8eb3eb320959fdb8cfc658e610ca7a6662c9670c919130

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a2130383b648214ff5a2f24620a6808

SHA1
e1b0da6a383b4fd45ee690d991b11b6b955571ba

SHA256
a39686f109ba3ebbf24667a51d94bca075b22e07dd45c1807de83f561accc78b

SHA512
3154babb70dc04a14c768953b22ee1b150ab470919dc69697dba1c51433a3a0de12e7c7d8aeba60f7216268b62856b4501d58c8326942c1a173304012ec8e71d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5383bbd0090798398d9970db03948b62

SHA1
6e69e1e9c39615c107a0db127f97b25df6fe2bac

SHA256
3921161bd92eec6644956cc2e092b85f4d62adb71535debcf8b8236038115786

SHA512
b236dee02023c971923903049863015d862de0bbd8f39dafbcd8657283102bf206360c7d2815bf62caf96d1b9d465e12f8d3227dceb852176db92c9b7d3993e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d257e50f2a4bea25ad652b2960fce9cb

SHA1
1fc653f0161d11da9e491ce51303343ef71b038c

SHA256
285467c764333e82e73ddcfbc55a106ae2a8ef90a6b09d5c027ded66ca9e625a

SHA512
b58657a427ca44a760ebc52285edeed3c8fbef6e1ddb4e81b056acf6826f74eec7d0427197c6c2476f5dbb4b53089bcc9beece6237523e56ccf46e63f704b725

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e766daa87ea049c5d499ed8ebffd7b1e

SHA1
5a0fac3b2012b0dcc914df5964a7f59cde512e69

SHA256
3a00c4b4e39dcb4e4b72e9571d8d180a203aba53a57c5651d056c1cb4183173f

SHA512
cd454ba8497f253599eab4b29cdad0001ff0825258259ae7ed3d195a4cd570baf52648199820142d89320a25ceae7cec1e1a5cde0c8196380b11ac571c650cd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f2d42cef249b10edd490b4e547f31f4

SHA1
9caab9a5e6d296b6196eef83b43fa9397a09f59d

SHA256
d14c0aa9e6ef619488b9fe69fffacbe8e46847ab16a0be8fd80160d0508d219a

SHA512
9f468a7eeffc44069f38389d042af07239cc11468c728bffd701457e83dde9fd803e00ebdbd7b35153b07e58366fb529c1b0af7706a591c4cdfd4846feaf0a6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40ddcb2c5d0fd44527cfc01dfe5ecbf2

SHA1
0ac78244ad30b3d6ef16cc85d34c7219be389a4b

SHA256
8d18932a3099613103c7d2a668be079ecddcf7a4dab984b2c9564f96f0458712

SHA512
f9d5673f988f7ce461cec71b2a4912b1598f86c512d66eb4b7e922f1352f64995d944231290e8f6ff62ecddfa031adf8e094517af04c7fcb6ad9ab2b9088ee70

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat

Filesize
195B

MD5
ff9459305d3fea31e87bc286852dc667

SHA1
dad9b08ee3fb4e985eb53792781d6310cacadcba

SHA256
04f64d48d5f4e1a3aff01ce51d9486bb352bc4521d0c98c749a031f819286485

SHA512
ba3a5acbeb2c3addc85e29bc0131a89debc16176a2a1c40ecc427df846f5fe753cd8cf91615ef9029a0b00c0bcdfc70d8e11a30271f5da2814fd99cf7f22bafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat

Filesize
195B

MD5
aa65748fb550c9b9276928f6e73e5871

SHA1
a88c543871be7c2436df10e14f02a078247d9eb3

SHA256
1788bddcde4d633c7c9d298cc39c4ca7ae6b179c35513bd6ebbec822e8e374b2

SHA512
f5242679ddb10365c98d8bc0d7e54351624e1cdd14b1a0fb8725c38b550fcf8b95bb5c20f3df3dccdf45de48c8a6bf2ce4e67fae13a8ea5051149401c38d5106

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD99F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat

Filesize
195B

MD5
75ecc35a1a565586a41cf7b434bf49ce

SHA1
266835fa115b4098fa77d15e88044ce794ca140f

SHA256
2ef4bcbc4fbfcd38b8aba4cc543217525175e8887bf53c986ef9019505dc6032

SHA512
40688d6fc8e5e2371702b4a41577d0e7987d35beebc16de838b9ec3e611c2bd150f31d975683b6d61bbad6d062db9d0b41fdabd4d50d1888c70f0e73f6080adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat

Filesize
195B

MD5
03e48c5f66f5eba2a8f761f5f2b1f6ad

SHA1
1bbbe6e3b3a25464acc0c457d568364e560d349d

SHA256
edfff49c396720267f45879c4ddbac7e24731beddc78a37bba17fecf3966f519

SHA512
f276abb60a2fbaceda230d9ee2937a10ecf10b1daa2a5a64a4ceb4413cdc8894d76c1859cc4ff513cf3bf8f6510aa6eb479efe1f62caadc54e89345b22343f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat

Filesize
195B

MD5
31d50b85845df068486201b929347e3f

SHA1
839c5b1e2b3b522750cd7f80b8815693da54a03f

SHA256
2f8393fab19c1b05936de428f8514209db56367d1c2ebed6b6bb5262dad00f4c

SHA512
646107304933c2813f6fca4e6cd3aaec575d0fcb8414f8723458f2c80dd3820e02947fe8e362183497906160473520337c699e49c843a4d9896bc788ec6eb6a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD9B1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat

Filesize
195B

MD5
e06dd538fe7ffbc1485c4530d91ade4d

SHA1
f8f853f2fc70a0c52873857083c6f1465ba35c02

SHA256
61fba98089b641088c39c4f4374669d090a15c5d85866e9aafd042a171c97dcc

SHA512
489eca150e32f6a72ae59f6a476b0fc79ebd9f91d398d691049092f69ce57e0649496de6341690fb13ae299b3b6bdd177ef1bd43ac8e2880fc931bf90a07c807

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat

Filesize
195B

MD5
096f329fb5ffcd0a7c27245b1406dd62

SHA1
50126de330e915eeff05f73e0ef6efe644f472b2

SHA256
fc3a757c30c6bf12db4c622ebaa0257ee9ad58c565df41ff8a5aace15bbfcf6d

SHA512
9ffac0406bbebab2e4d9f17287c6d3d77cf698f908cc461999ebac84e0c45f903bd0a6ec1415d7e1e5ee67a6b702ecca8aa3d0583b79361bfe1863db77fb39dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat

Filesize
195B

MD5
1fedfab80816198e2a352b23eb10c10d

SHA1
277e913ffbbd1157591aae4c717bb771a58061c6

SHA256
3419acfb00df1f034dce6fb01fce9c4636b51491e59e756c95915c28bcd6b7c8

SHA512
beda82eaa788b3ff71ae162eb8599c5809266270186d1808f5616d860a2767ea48f5ee2de0cc087275102309a71a1d9eb0e043412f2382a5f8dd064e06655088

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

Filesize
195B

MD5
bfa32f4456651c097cac1bcaa66af7a8

SHA1
0a8cbcf3f53a8b4a60edd2bab2937f78731e6d35

SHA256
91f0ded9ff16b74b3f8594b809e6b130b53eed7de338135ec97f902725bfb806

SHA512
05acb8a80dc9edf0dbe6f4d3bee9fad72e535a0f10774601b74d5f1f7f9fab2aa0287f80b4a1b68b5e586d5404d3832d6c16476ee583c5e7264700c9f7fcd219

Download Submit
C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat

Filesize
195B

MD5
a34922d71a967a7edbd8d70456af9523

SHA1
bd50ce47620ef3b57b1ca032fd2f1ec20c95f88a

SHA256
a56400e4df5fcee7d5671b7b4528e3fb1d644d3396f712fc2809f7d7e1378a22

SHA512
48734cac851c22039565473f670035aa507848aba1bed688c82754dd1bfb874890654b49f38d5766318827d8139c972af851d2a1da9bebdeb417541e37c6e62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat

Filesize
195B

MD5
6869d09915d319a9355bf43a634b6844

SHA1
dedc3e4cc65320c30c99c4f368d148fe13efd06a

SHA256
ec1ff871804f8e259ae54d0938978552053583cef655fd80a1cd6ed13fec7d9c

SHA512
867f1af6b96a08a2df02f7717ffb92b4b196940b18cd774cc0789da29ab201c9828e3573402d97da8add4dfac1e51f9b4af3a61ccd5441db75d36e3db11de03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat

Filesize
195B

MD5
febeaa563d942ca8421f12705400f4de

SHA1
bb5a943a751d8c151bfa9e799d9fc0e0a914ac85

SHA256
7619eadbf042d83038b6af352444614cb1f3ec4c976b0a3ae849d77c15229ef0

SHA512
77e96717057f1147ddf281e4eccd2f248462f6b10657e3121a200fd4fc068e98c10ccb8b3431072f01a63c9dd7fe92c96e917005158195c2335c681c0a0244cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dfdf3d52570a912c207863aa612f44dc

SHA1
0efd506e069d7de10815ea21f5a3174194663f3f

SHA256
ec316ff3096793a1ec7852837ec51135f1207a87b401c330183674e585c62c44

SHA512
e1963872ceda4986d304eeeec4d8c582c94150d7ec9905dec4b63238f1d75273f14303d93f1d184dbf918ea553f0e4597b1a03994f1edc6ea8c9f95f54923598

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/684-63-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1668-225-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/1892-50-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/1892-62-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/1952-466-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/1952-467-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2016-61-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2516-587-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/2564-17-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2564-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2564-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2564-16-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2564-13-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/2632-286-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/2632-285-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/2736-527-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2876-647-0x0000000000F50000-0x0000000001060000-memory.dmp

Filesize
1.1MB

Download
memory/2876-648-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2924-347-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2924-346-0x0000000001040000-0x0000000001150000-memory.dmp

Filesize
1.1MB

Download