dcrat | 42aab74dea23c3c0dc29e195400d08f9ecd88ee8275dde75a1e6dfa894186d1b

Analysis

max time kernel
146s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_42aab74dea23c3c0dc29e195400d08f9ecd88ee8275dde75a1e6dfa894186d1b.exe
Size

1.3MB
MD5

28f00d04d26baa60ce6e213d8b52d964
SHA1

2f47911528b29719cf19c866d1ced034cac38389
SHA256

42aab74dea23c3c0dc29e195400d08f9ecd88ee8275dde75a1e6dfa894186d1b
SHA512

c6bdcdc480b562b930dd3846595eb971e4dc91348fa736deafa02029e7413bd5a7b3ad5fe84440507f6b663b2483822234e566ee3dd0fef38dd2db138526bcf8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2352	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2352	schtasks.exe	35

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000019284-10.dat	dcrat
behavioral1/memory/2844-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp	dcrat
behavioral1/memory/1884-51-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/2384-225-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/2236-285-0x0000000000C90000-0x0000000000DA0000-memory.dmp	dcrat
behavioral1/memory/2296-345-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/memory/2764-405-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat
behavioral1/memory/2220-524-0x00000000002E0000-0x00000000003F0000-memory.dmp	dcrat
behavioral1/memory/928-584-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/1572-644-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/memory/2184-704-0x00000000012A0000-0x00000000013B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1516	powershell.exe
1744	powershell.exe
2100	powershell.exe
780	powershell.exe
1648	powershell.exe
1536	powershell.exe
1040	powershell.exe
1060	powershell.exe
1868	powershell.exe
1380	powershell.exe
1724	powershell.exe
2484	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2844	DllCommonsvc.exe
1884	OSPPSVC.exe
2756	OSPPSVC.exe
2384	OSPPSVC.exe
2236	OSPPSVC.exe
2296	OSPPSVC.exe
2764	OSPPSVC.exe
2564	OSPPSVC.exe
2220	OSPPSVC.exe
928	OSPPSVC.exe
1572	OSPPSVC.exe
2184	OSPPSVC.exe
2132	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	cmd.exe
2824	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
37	raw.githubusercontent.com
40	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\1610b97d3ab4a7	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\101b941d020240	DllCommonsvc.exe
File created	C:\Windows\Help\OEM\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\Help\OEM\101b941d020240	DllCommonsvc.exe
File created	C:\Windows\Tasks\lsm.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_42aab74dea23c3c0dc29e195400d08f9ecd88ee8275dde75a1e6dfa894186d1b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
604	schtasks.exe
2028	schtasks.exe
2980	schtasks.exe
2168	schtasks.exe
236	schtasks.exe
1372	schtasks.exe
860	schtasks.exe
2944	schtasks.exe
1664	schtasks.exe
3044	schtasks.exe
2424	schtasks.exe
1296	schtasks.exe
1608	schtasks.exe
1800	schtasks.exe
1300	schtasks.exe
1840	schtasks.exe
2476	schtasks.exe
1904	schtasks.exe
2120	schtasks.exe
2904	schtasks.exe
1136	schtasks.exe
2384	schtasks.exe
620	schtasks.exe
2744	schtasks.exe
1624	schtasks.exe
2088	schtasks.exe
2136	schtasks.exe
2504	schtasks.exe
2428	schtasks.exe
1396	schtasks.exe
1828	schtasks.exe
1992	schtasks.exe
696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2844	DllCommonsvc.exe
1040	powershell.exe
1380	powershell.exe
1744	powershell.exe
2484	powershell.exe
2100	powershell.exe
1724	powershell.exe
1884	OSPPSVC.exe
1536	powershell.exe
1516	powershell.exe
1648	powershell.exe
780	powershell.exe
1060	powershell.exe
1868	powershell.exe
2756	OSPPSVC.exe
2384	OSPPSVC.exe
2236	OSPPSVC.exe
2296	OSPPSVC.exe
2764	OSPPSVC.exe
2564	OSPPSVC.exe
2220	OSPPSVC.exe
928	OSPPSVC.exe
1572	OSPPSVC.exe
2184	OSPPSVC.exe
2132	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	DllCommonsvc.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	1884	OSPPSVC.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	2756	OSPPSVC.exe
Token: SeDebugPrivilege	2384	OSPPSVC.exe
Token: SeDebugPrivilege	2236	OSPPSVC.exe
Token: SeDebugPrivilege	2296	OSPPSVC.exe
Token: SeDebugPrivilege	2764	OSPPSVC.exe
Token: SeDebugPrivilege	2564	OSPPSVC.exe
Token: SeDebugPrivilege	2220	OSPPSVC.exe
Token: SeDebugPrivilege	928	OSPPSVC.exe
Token: SeDebugPrivilege	1572	OSPPSVC.exe
Token: SeDebugPrivilege	2184	OSPPSVC.exe
Token: SeDebugPrivilege	2132	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2644	816	JaffaCakes118_42aab74dea23c3c0dc29e195400d08f9ecd88ee8275dde75a1e6dfa894186d1b.exe	31
PID 816 wrote to memory of 2644	816	JaffaCakes118_42aab74dea23c3c0dc29e195400d08f9ecd88ee8275dde75a1e6dfa894186d1b.exe	31
PID 816 wrote to memory of 2644	816	JaffaCakes118_42aab74dea23c3c0dc29e195400d08f9ecd88ee8275dde75a1e6dfa894186d1b.exe	31
PID 816 wrote to memory of 2644	816	JaffaCakes118_42aab74dea23c3c0dc29e195400d08f9ecd88ee8275dde75a1e6dfa894186d1b.exe	31
PID 2644 wrote to memory of 2824	2644	WScript.exe	32
PID 2644 wrote to memory of 2824	2644	WScript.exe	32
PID 2644 wrote to memory of 2824	2644	WScript.exe	32
PID 2644 wrote to memory of 2824	2644	WScript.exe	32
PID 2824 wrote to memory of 2844	2824	cmd.exe	34
PID 2824 wrote to memory of 2844	2824	cmd.exe	34
PID 2824 wrote to memory of 2844	2824	cmd.exe	34
PID 2824 wrote to memory of 2844	2824	cmd.exe	34
PID 2844 wrote to memory of 1040	2844	DllCommonsvc.exe	69
PID 2844 wrote to memory of 1040	2844	DllCommonsvc.exe	69
PID 2844 wrote to memory of 1040	2844	DllCommonsvc.exe	69
PID 2844 wrote to memory of 2484	2844	DllCommonsvc.exe	70
PID 2844 wrote to memory of 2484	2844	DllCommonsvc.exe	70
PID 2844 wrote to memory of 2484	2844	DllCommonsvc.exe	70
PID 2844 wrote to memory of 1536	2844	DllCommonsvc.exe	72
PID 2844 wrote to memory of 1536	2844	DllCommonsvc.exe	72
PID 2844 wrote to memory of 1536	2844	DllCommonsvc.exe	72
PID 2844 wrote to memory of 1060	2844	DllCommonsvc.exe	74
PID 2844 wrote to memory of 1060	2844	DllCommonsvc.exe	74
PID 2844 wrote to memory of 1060	2844	DllCommonsvc.exe	74
PID 2844 wrote to memory of 1380	2844	DllCommonsvc.exe	75
PID 2844 wrote to memory of 1380	2844	DllCommonsvc.exe	75
PID 2844 wrote to memory of 1380	2844	DllCommonsvc.exe	75
PID 2844 wrote to memory of 1516	2844	DllCommonsvc.exe	76
PID 2844 wrote to memory of 1516	2844	DllCommonsvc.exe	76
PID 2844 wrote to memory of 1516	2844	DllCommonsvc.exe	76
PID 2844 wrote to memory of 1868	2844	DllCommonsvc.exe	77
PID 2844 wrote to memory of 1868	2844	DllCommonsvc.exe	77
PID 2844 wrote to memory of 1868	2844	DllCommonsvc.exe	77
PID 2844 wrote to memory of 1648	2844	DllCommonsvc.exe	78
PID 2844 wrote to memory of 1648	2844	DllCommonsvc.exe	78
PID 2844 wrote to memory of 1648	2844	DllCommonsvc.exe	78
PID 2844 wrote to memory of 780	2844	DllCommonsvc.exe	79
PID 2844 wrote to memory of 780	2844	DllCommonsvc.exe	79
PID 2844 wrote to memory of 780	2844	DllCommonsvc.exe	79
PID 2844 wrote to memory of 2100	2844	DllCommonsvc.exe	80
PID 2844 wrote to memory of 2100	2844	DllCommonsvc.exe	80
PID 2844 wrote to memory of 2100	2844	DllCommonsvc.exe	80
PID 2844 wrote to memory of 1744	2844	DllCommonsvc.exe	81
PID 2844 wrote to memory of 1744	2844	DllCommonsvc.exe	81
PID 2844 wrote to memory of 1744	2844	DllCommonsvc.exe	81
PID 2844 wrote to memory of 1724	2844	DllCommonsvc.exe	83
PID 2844 wrote to memory of 1724	2844	DllCommonsvc.exe	83
PID 2844 wrote to memory of 1724	2844	DllCommonsvc.exe	83
PID 2844 wrote to memory of 1884	2844	DllCommonsvc.exe	93
PID 2844 wrote to memory of 1884	2844	DllCommonsvc.exe	93
PID 2844 wrote to memory of 1884	2844	DllCommonsvc.exe	93
PID 1884 wrote to memory of 1504	1884	OSPPSVC.exe	94
PID 1884 wrote to memory of 1504	1884	OSPPSVC.exe	94
PID 1884 wrote to memory of 1504	1884	OSPPSVC.exe	94
PID 1504 wrote to memory of 2332	1504	cmd.exe	96
PID 1504 wrote to memory of 2332	1504	cmd.exe	96
PID 1504 wrote to memory of 2332	1504	cmd.exe	96
PID 1504 wrote to memory of 2756	1504	cmd.exe	97
PID 1504 wrote to memory of 2756	1504	cmd.exe	97
PID 1504 wrote to memory of 2756	1504	cmd.exe	97
PID 2756 wrote to memory of 916	2756	OSPPSVC.exe	98
PID 2756 wrote to memory of 916	2756	OSPPSVC.exe	98
PID 2756 wrote to memory of 916	2756	OSPPSVC.exe	98
PID 916 wrote to memory of 2776	916	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42aab74dea23c3c0dc29e195400d08f9ecd88ee8275dde75a1e6dfa894186d1b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42aab74dea23c3c0dc29e195400d08f9ecd88ee8275dde75a1e6dfa894186d1b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\OEM\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2332
        
        C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQtyVABn1C.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2776
        
        C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat"
        10⤵
        
        PID:2624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2100
        
        C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"
        12⤵
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1680
        
        C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"
        14⤵
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3000
        
        C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat"
        16⤵
        
        PID:2948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:380
        
        C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat"
        18⤵
        
        PID:1516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2584
        
        C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat"
        20⤵
        
        PID:716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2812
        
        C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dnlY2uCtHd.bat"
        22⤵
        
        PID:620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1452
        
        C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat"
        24⤵
        
        PID:2596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2688
        
        C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"
        26⤵
        
        PID:1632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2096
        
        C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Tasks\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Application Data\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Application Data\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\OEM\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Help\OEM\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\OEM\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a8870ebd8805d1002049486baf026c0

SHA1
6a36c522a5e36e4a3a69426840931ae0517a6319

SHA256
a8558fb632e3872cbb141ca9d67e94559cf87a15bb88e0f52b64dec5e44762a2

SHA512
4eb163f19e5ffc70906f3ec111b7fc84dad3d1559e2c0b4308eab564ab1be8bae053e1921a06abb01549646cefceafab1d2933c552cab5ac62b09f398fcd24b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b4fbcbd990a13ed8695f356add326a5

SHA1
106fc6dfec44bc3f053fc0e0faf477decebc7407

SHA256
dc8ba571144e39a7bf0dfb6150483a12c2b9d455fc3462810e306ed953d554b6

SHA512
b4f072526806b4e369ee68e5bf0a59f171d0c2ecb092cd5c076dfa5a61e234009bed3fde34ffb0662dffe77442232619bcc103af6fa933a295bf623a3fd35f2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0175ed60099b13213d59bc3eea829e62

SHA1
0805c04359167ab293d854630f839960fb73b457

SHA256
9acae75732fd979b60499704f0a03b8c6adc0ac017888b54242ea5d444616430

SHA512
052769fa5383a2655e154353c64c22942623d0e1332e1eb983e8c61988006bc85106a7e9f10ebf3882fc23228b8f1dc03900f1b6bc0c23640fbaf7d21496821d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4239b802df58719a8e391c11d0b49ec1

SHA1
013d41edcd5313e5730573cb7212191ab7fa3ecc

SHA256
d374657a59748a3a5f6f5291376d514fc6726ee1f0c0f5e16e94b47c45137acb

SHA512
317205c1c614f9b28d0c5884a6f3afe22bbdcbfa23dfc7a3b787948958473df286dede216c5d77d536511f76d57874d022692709e5389ecb5b8ef55c820b1e01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70654ad2ce145954637ac643383fe4f6

SHA1
fff2836fe07f08a47889f0efd1904874d8aacc3f

SHA256
bd0cb5c9b0ee576dfc72487a42ef962fee4e4e9bdc93c16fec09c936bd3383d8

SHA512
32277ee5189e8303ef957f2eb7b904b20e5c5e26514295ab3e1d81261f923ab829607be713ca61dbe2a14446ca869357f5745bec2970880c8154c52992b29a90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
559aceb89df2226425aee27d9b306430

SHA1
c63af425ab2e374db633a48252075b1673914966

SHA256
cf938a1ba5dfa9cb4dbc367f36cec580fd779104e35c7dd451386fda45354fbb

SHA512
9061b3c2b5091764ff1131dbb9784986450aeec963ca62474fd3ff52f92c812e075ccaf467bd6120a1cc7443387b36d76d105b0af3345598f866c47bf62054f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0f4a6e47b891aad664dfdf3c997e03c

SHA1
7f2af3cb65e1466d940a848d2d96bd7ec9708dc4

SHA256
7de0ddbe4702aa7db34702ec85b1fa33f3155ed77d929b3339b55271071f4111

SHA512
fa702262abd04b0fa3e92c98f1e6ae629d2ec7cf85fa7893d6a14425ae77f9759b722e7c72822bb0c5511f7cec584c305ca0889ce79fc547552028177dcbf495

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed1d87202ac55a5eb3a5625b1b4921bb

SHA1
e5fd4b9000716ccb902c338899e8b4a41f827b25

SHA256
26db7e59cbeba21218ff5282f829cbe1a7f877c3af1ee5b4e555a7abe903d03a

SHA512
5166d3c07e307d0ad8eccfee25a392b5c63b536cb3a196f4357af98a98eabfddb21d29810557225d436428632e1559f6103388d9cbebc6b04a906c01e7ebeb7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9edb5165ca84e2c906a32eaa659fb3c4

SHA1
d6275721da2e0d471868daccd8efe1be6466d174

SHA256
9866bc2ba45759fae248bf4d48f40a22d147ba79db0fc5c844cbf0a214de66c8

SHA512
b768d1747fc347b68b78e8a20e8d7a5c8aced851505a2c799e3dd15dc1d2ee6f21e90b4ef60a6a1fbd32623be54f8cada86c130602a6cf9440eac1efa64ec34f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5871fff870125b8178f22a4d94508e79

SHA1
a53121945cd97c02b0a82af32166a46b74a4e4fc

SHA256
a16be40d7cf017ed30db6da3b164d10940feb18869ddf53cd5de72bf48d2f81a

SHA512
720a46a2faf2c134a6b99575cb9d936f620af4f08af9f7e7a8740917c23a66bef78ac29606ce3a7ec2bbbaaa89db4f8709881b2b9af13c2b01dcdafc1e77ef91

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat

Filesize
228B

MD5
6a562056451e15e8836d43cb212584eb

SHA1
b5440b21454d609a2d39149d6a93907330a96293

SHA256
f74d29da6ed3bf8b1bd43eeaab8fed58fde23e46cf3d9dc61f8e087ceb60b1a6

SHA512
313c54a5f04909ab3b5e89bdcf6e39b00b06f3126eb8f75378832e1e9077e03a161faa87cfd128e14331653dbf3d4d2b226d86d15bc11a4439367c04c33e2ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQtyVABn1C.bat

Filesize
228B

MD5
5cda9412596f4c0fc63c489ec0c4b776

SHA1
3f27ff4a12bef42a23bf2124ac854af5bbeba08d

SHA256
6f122eaa38d1e5919ccf6d285ae2edbda99f9ac2575e15649b07ecf1adafb913

SHA512
e9484cf94a9837230445159a238d59c7ea55e607401f830d659110165f34450aed3b520fa52e3522f3ce96415959810624b37bd7cb75cbdb59379a55970b84e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab19F8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat

Filesize
228B

MD5
d4d57d268b0822e266c1040f6d4207bc

SHA1
09974aa131ed2ebfa34cdd929df797629aeeae2a

SHA256
5d4e00b1cae1d85b44183738673a6ad3c6a296d36ac89533a8fd91e495b38f46

SHA512
52ad65768fbc36b55ef799f80550b2f717e6e7a995e6f8a1e71b99ebae95d3f71efa491faeacd8aa003d56cd9fe579ed9bbc8a08e65d7d37bc740b613ce9bd75

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat

Filesize
228B

MD5
9cb240791dbf091549a6616adb205724

SHA1
d1af783e77fc76eae8b6cec517bd4a6b75ac2016

SHA256
b81a1b7154e7597da619f498071686c68558b445f7935fc99f0e7007c1de83c1

SHA512
d8a57ce8790eda7a169894857c0b5f1584becbc3239b00a836f4635f3301af47fe5e7f7824efae027aa0fcf0f3ef87264c4cb48167515f7904442dd05a74f1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat

Filesize
228B

MD5
08bc88112741be506968ec8141314bc3

SHA1
45b836f0776a70b58425ddeddd909cc52263ea58

SHA256
25d5c07586ecdcee42faf2e6501d9a02351d3fb6f6df4779d070dfa4324b70eb

SHA512
05c1ec1e16caee85a41c4c861c94b2f34fd5f4f83352a3980668c043fd3b5a2e78b8a221176c86b12b80311a9d03463cbc2dd6d17c3ca50d0b08b78d09f0cb9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar19FB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat

Filesize
228B

MD5
a303823add851072f226ee9b1c5442a1

SHA1
24ee010f1be53ff43f95f22daac3d2a2cb5c9128

SHA256
2f1bd46fe145279b1da55ce81b272de113acfbaf808657a7017b0f4dd25bdb43

SHA512
e0bbecc91fd98e109a812405e67d94e068116a4a009563382a46e720702f80a5650c32e8066851b75bb8ca73c9025bbd84d0c0bbf25c291f125a195db21094df

Download Submit
C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat

Filesize
228B

MD5
d2632873fa37ca765818d24357834539

SHA1
5f6cc97169d3d98096fab71a683fbb62f0779a61

SHA256
56cdf27bffcd59833ce06ea891a7576e7c5f7ebacf027944c21e91fb84a08a09

SHA512
481da34cc8f634da23fd10eaae0b24aa46c54e84400b23162940f04e7eb7ddf20585ac46adddb98baafa5ef064a6a6de15345eb0a065aabbb567f23f109afc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnlY2uCtHd.bat

Filesize
228B

MD5
cb38e867b7f85cddaed57a3d9f08387b

SHA1
ca05800ee31a59467fe8333997dc25ac625d4b7c

SHA256
97a9a43190bf00890d5b462a036f2fe31843944f4d32bfb2758849e0e016a104

SHA512
f52323bf969d44c18c5484cc6250c505fd2ebcf94b4940160189c1031d4ce40c2fff5cd5e6e052ded2e9c35717d6af091297e87679a27c3f9824668557c582f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat

Filesize
228B

MD5
f628a72c453c38cf9a21170280ccb0bc

SHA1
1d27b20192fd8940f4878523a5d21f1b90c3135b

SHA256
c1e271cbb3d7c8919b3f40655c3f5334277576c18e1379ec621d19ad0bf321e8

SHA512
be13ed4f94a79c7231175f2862ee3a39137b598dfa7dff6493c4e309240bf8aaee8289882ab04e2f39d2f1da3b8fc8fbd3d277395651bc657176f77fd7c48c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat

Filesize
228B

MD5
0bb6b6f1745d95331ebd96b05b2740dd

SHA1
9cdd32048c498c87cacb3816b4d83dacbfdd4bd6

SHA256
6642adf409ca586505ac39b95cb14c75bb1e6ac281f486c69253e179b9bd258f

SHA512
348d6603aa288011de6919b59cc94c72e71745f9e4ee1d8766130df930df52506d4aaa732b179eb2aece3f3192a5e461dedff2c45f5f1c0885b606da28d67cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat

Filesize
228B

MD5
ad75a370a863f33e2c73d94c9cf487c2

SHA1
b09bd279d2a8792270b30a466e73e83ea7995ac7

SHA256
d8e9bce6675973e40ca66eb9e21baef35c327a09699a266702c02e52e694eeee

SHA512
0f478f989c8d483c7b316920a1bf520f4f9baac2583fae037fbc64cbf0c86ca63cb9a378bddda925c0ecfc34bb874f9cccf36e4596fec83f3da4d696e1203767

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e4acdd6320e66913edfa164e5d7a4d2c

SHA1
cb1a5046aa2c7b60dc8a8a4f913399b364291af7

SHA256
67d65498f931bbc23ae5ca0c36cc515caf664ae359749323266c1bff91162ddd

SHA512
82e341f363fe4e23a59b39e4091676c211989999186efbc1e8c6ac9febcd44998a2943934a5611b996efc976ff6a188d2eebc9fcb352fa6c3420011429e29a62

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/928-584-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/1040-52-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/1040-53-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/1572-644-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/1884-51-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/2132-764-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2184-704-0x00000000012A0000-0x00000000013B0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-524-0x00000000002E0000-0x00000000003F0000-memory.dmp

Filesize
1.1MB

Download
memory/2236-285-0x0000000000C90000-0x0000000000DA0000-memory.dmp

Filesize
1.1MB

Download
memory/2296-345-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/2384-225-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/2764-405-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download
memory/2844-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2844-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2844-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2844-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp

Filesize
1.1MB

Download
memory/2844-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download