dcrat | 31248fd4ada468d2de870038a2b1cf235cb955e849e6aacc8537746902fbf209

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31248fd4ada468d2de870038a2b1cf235cb955e849e6aacc8537746902fbf209.exe
Size

1.3MB
MD5

ca8ad19f9d4e74fcc8db660ff5e5528e
SHA1

1b73e72ad3d7e892747d0abd4be450fc190ccdba
SHA256

31248fd4ada468d2de870038a2b1cf235cb955e849e6aacc8537746902fbf209
SHA512

023780ba4310930b3a88541d2c7b0acafab6e3a21c183fd1943dbaf3608e654f07b5090241b3480b6fe35546268b85ac3bcde15ea98f3e682868e6300f50f833
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2616	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000017079-9.dat	dcrat
behavioral1/memory/2668-13-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat
behavioral1/memory/1524-42-0x0000000000AF0000-0x0000000000C00000-memory.dmp	dcrat
behavioral1/memory/2348-153-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat
behavioral1/memory/2568-213-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/956-273-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/2596-570-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/988-630-0x0000000000EB0000-0x0000000000FC0000-memory.dmp	dcrat
behavioral1/memory/2644-808-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1920	powershell.exe
2152	powershell.exe
1348	powershell.exe
840	powershell.exe
952	powershell.exe
1868	powershell.exe
1968	powershell.exe
624	powershell.exe
1084	powershell.exe
1604	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
2668	DllCommonsvc.exe
1524	audiodg.exe
2348	audiodg.exe
2568	audiodg.exe
956	audiodg.exe
2312	audiodg.exe
2716	audiodg.exe
1360	audiodg.exe
2172	audiodg.exe
2596	audiodg.exe
988	audiodg.exe
1156	audiodg.exe
2708	audiodg.exe
2644	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2756	cmd.exe
2756	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
26	raw.githubusercontent.com
32	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com
37	raw.githubusercontent.com
44	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
40	raw.githubusercontent.com
4	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\24dbde2999530e	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\smss.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31248fd4ada468d2de870038a2b1cf235cb955e849e6aacc8537746902fbf209.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2088	schtasks.exe
2172	schtasks.exe
276	schtasks.exe
1480	schtasks.exe
2768	schtasks.exe
1720	schtasks.exe
1600	schtasks.exe
1700	schtasks.exe
2076	schtasks.exe
828	schtasks.exe
1112	schtasks.exe
1708	schtasks.exe
536	schtasks.exe
1356	schtasks.exe
1580	schtasks.exe
1936	schtasks.exe
1368	schtasks.exe
2220	schtasks.exe
2608	schtasks.exe
2404	schtasks.exe
2472	schtasks.exe
2364	schtasks.exe
2600	schtasks.exe
1648	schtasks.exe
2444	schtasks.exe
2720	schtasks.exe
3016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2668	DllCommonsvc.exe
1968	powershell.exe
1920	powershell.exe
1348	powershell.exe
952	powershell.exe
1868	powershell.exe
840	powershell.exe
2152	powershell.exe
1604	powershell.exe
624	powershell.exe
1084	powershell.exe
1524	audiodg.exe
2348	audiodg.exe
2568	audiodg.exe
956	audiodg.exe
2312	audiodg.exe
2716	audiodg.exe
1360	audiodg.exe
2172	audiodg.exe
2596	audiodg.exe
988	audiodg.exe
1156	audiodg.exe
2708	audiodg.exe
2644	audiodg.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	DllCommonsvc.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1524	audiodg.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	2348	audiodg.exe
Token: SeDebugPrivilege	2568	audiodg.exe
Token: SeDebugPrivilege	956	audiodg.exe
Token: SeDebugPrivilege	2312	audiodg.exe
Token: SeDebugPrivilege	2716	audiodg.exe
Token: SeDebugPrivilege	1360	audiodg.exe
Token: SeDebugPrivilege	2172	audiodg.exe
Token: SeDebugPrivilege	2596	audiodg.exe
Token: SeDebugPrivilege	988	audiodg.exe
Token: SeDebugPrivilege	1156	audiodg.exe
Token: SeDebugPrivilege	2708	audiodg.exe
Token: SeDebugPrivilege	2644	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2660	2212	31248fd4ada468d2de870038a2b1cf235cb955e849e6aacc8537746902fbf209.exe	30
PID 2212 wrote to memory of 2660	2212	31248fd4ada468d2de870038a2b1cf235cb955e849e6aacc8537746902fbf209.exe	30
PID 2212 wrote to memory of 2660	2212	31248fd4ada468d2de870038a2b1cf235cb955e849e6aacc8537746902fbf209.exe	30
PID 2212 wrote to memory of 2660	2212	31248fd4ada468d2de870038a2b1cf235cb955e849e6aacc8537746902fbf209.exe	30
PID 2660 wrote to memory of 2756	2660	WScript.exe	31
PID 2660 wrote to memory of 2756	2660	WScript.exe	31
PID 2660 wrote to memory of 2756	2660	WScript.exe	31
PID 2660 wrote to memory of 2756	2660	WScript.exe	31
PID 2756 wrote to memory of 2668	2756	cmd.exe	33
PID 2756 wrote to memory of 2668	2756	cmd.exe	33
PID 2756 wrote to memory of 2668	2756	cmd.exe	33
PID 2756 wrote to memory of 2668	2756	cmd.exe	33
PID 2668 wrote to memory of 1920	2668	DllCommonsvc.exe	62
PID 2668 wrote to memory of 1920	2668	DllCommonsvc.exe	62
PID 2668 wrote to memory of 1920	2668	DllCommonsvc.exe	62
PID 2668 wrote to memory of 1968	2668	DllCommonsvc.exe	63
PID 2668 wrote to memory of 1968	2668	DllCommonsvc.exe	63
PID 2668 wrote to memory of 1968	2668	DllCommonsvc.exe	63
PID 2668 wrote to memory of 2152	2668	DllCommonsvc.exe	64
PID 2668 wrote to memory of 2152	2668	DllCommonsvc.exe	64
PID 2668 wrote to memory of 2152	2668	DllCommonsvc.exe	64
PID 2668 wrote to memory of 1084	2668	DllCommonsvc.exe	65
PID 2668 wrote to memory of 1084	2668	DllCommonsvc.exe	65
PID 2668 wrote to memory of 1084	2668	DllCommonsvc.exe	65
PID 2668 wrote to memory of 624	2668	DllCommonsvc.exe	66
PID 2668 wrote to memory of 624	2668	DllCommonsvc.exe	66
PID 2668 wrote to memory of 624	2668	DllCommonsvc.exe	66
PID 2668 wrote to memory of 1348	2668	DllCommonsvc.exe	67
PID 2668 wrote to memory of 1348	2668	DllCommonsvc.exe	67
PID 2668 wrote to memory of 1348	2668	DllCommonsvc.exe	67
PID 2668 wrote to memory of 840	2668	DllCommonsvc.exe	68
PID 2668 wrote to memory of 840	2668	DllCommonsvc.exe	68
PID 2668 wrote to memory of 840	2668	DllCommonsvc.exe	68
PID 2668 wrote to memory of 1604	2668	DllCommonsvc.exe	69
PID 2668 wrote to memory of 1604	2668	DllCommonsvc.exe	69
PID 2668 wrote to memory of 1604	2668	DllCommonsvc.exe	69
PID 2668 wrote to memory of 952	2668	DllCommonsvc.exe	70
PID 2668 wrote to memory of 952	2668	DllCommonsvc.exe	70
PID 2668 wrote to memory of 952	2668	DllCommonsvc.exe	70
PID 2668 wrote to memory of 1868	2668	DllCommonsvc.exe	71
PID 2668 wrote to memory of 1868	2668	DllCommonsvc.exe	71
PID 2668 wrote to memory of 1868	2668	DllCommonsvc.exe	71
PID 2668 wrote to memory of 1524	2668	DllCommonsvc.exe	82
PID 2668 wrote to memory of 1524	2668	DllCommonsvc.exe	82
PID 2668 wrote to memory of 1524	2668	DllCommonsvc.exe	82
PID 1524 wrote to memory of 2988	1524	audiodg.exe	83
PID 1524 wrote to memory of 2988	1524	audiodg.exe	83
PID 1524 wrote to memory of 2988	1524	audiodg.exe	83
PID 2988 wrote to memory of 3028	2988	cmd.exe	85
PID 2988 wrote to memory of 3028	2988	cmd.exe	85
PID 2988 wrote to memory of 3028	2988	cmd.exe	85
PID 2988 wrote to memory of 2348	2988	cmd.exe	86
PID 2988 wrote to memory of 2348	2988	cmd.exe	86
PID 2988 wrote to memory of 2348	2988	cmd.exe	86
PID 2348 wrote to memory of 2536	2348	audiodg.exe	87
PID 2348 wrote to memory of 2536	2348	audiodg.exe	87
PID 2348 wrote to memory of 2536	2348	audiodg.exe	87
PID 2536 wrote to memory of 2356	2536	cmd.exe	89
PID 2536 wrote to memory of 2356	2536	cmd.exe	89
PID 2536 wrote to memory of 2356	2536	cmd.exe	89
PID 2536 wrote to memory of 2568	2536	cmd.exe	90
PID 2536 wrote to memory of 2568	2536	cmd.exe	90
PID 2536 wrote to memory of 2568	2536	cmd.exe	90
PID 2568 wrote to memory of 2848	2568	audiodg.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\31248fd4ada468d2de870038a2b1cf235cb955e849e6aacc8537746902fbf209.exe
"C:\Users\Admin\AppData\Local\Temp\31248fd4ada468d2de870038a2b1cf235cb955e849e6aacc8537746902fbf209.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
    - - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3028
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2356
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat"
        10⤵
        
        PID:2848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2712
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
        12⤵
        
        PID:2860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1304
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat"
        14⤵
        
        PID:2752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2196
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat"
        16⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1084
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
        18⤵
        
        PID:2608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:908
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat"
        20⤵
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2800
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\crRU6Ya2tl.bat"
        22⤵
        
        PID:2408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2636
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat"
        24⤵
        
        PID:332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2460
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"
        26⤵
        
        PID:2324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:712
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
        28⤵
        
        PID:1848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2200
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Tasks\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2aaffa6f13a8400c906a58bf5e0a66a3

SHA1
79ec9127097355dc62dd58b3216d9c6c978b209b

SHA256
3f1201ddf2249161c25f7812f6d39655c947bdb083066964f21e4e3b025c8dcd

SHA512
75b794d97950af09f7f41800908ed358867fa8fd7bcd80ab47b6026ba9e887241dead54ee1ff7833f8f6883536a2812644e0f8ec75a402a4cb9cbe2979880549

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bff131bd3a5df88fc0cd3827abe933c7

SHA1
cd8c50b2a0ad18ea5526e1c0ccef2fef150e8432

SHA256
917842d4a581e71e90a7b58cf62bf990a9075f810910fdea0747d0716b6e33d9

SHA512
f5bacd944c11caeea8861c32a4a5cef46ba74525f2427ae2a0ade2b3443b5720b6cbcecdd08784cbed008fd72a1a0ba982b62e39d6303d40b9f38375808103f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
703066e9f12bd9c0326c7e968fe64589

SHA1
b039c9da85ca6bff4840114ff8197b006e81ca72

SHA256
74f003c84eef858da0a58fc04849466910aee2ea949edb24d314b3e38c640251

SHA512
eca6f21bb6df2d4823a65e8343459d978258e950efc418c39b7456f43aa9ed4597e7eeb8edb7c881d0844392efc7c945e5fd393703bf615899d04dd74fdb1537

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e30b49b6a64597c8183010a6f58c1d0d

SHA1
08f22bcdec1d121e0aad79c7b9f5fb1c529bb6da

SHA256
14a20cd66bb8fe9292e626b4fd63be85aee49a5db1b4a2524a6ac1ef0dcdbece

SHA512
c36088da868d9df02d175dda07faf7dbd1373c8b192122bc729339694274cde9cc05926b2c403db805bbcd8d490154861a5875c4a6cd5adbb0846983642b3a0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cab1606bf0e03c8e2a454904f2e55e03

SHA1
b736f23b0c64290e93e700fe0eb5fc0f992fb7d2

SHA256
65ecb5efc961acd27058dc832b77ff4aa859c2e5f7998266667010d419e29f0a

SHA512
958399c54f27040df1bf3221f45538054711e7f097fa6a17383e92b95ef68ac9d92b0665e30c040d94be75bf59e35633836d98ba004719bdf27a45b637c17a07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d42641eec02a49a60255c8a37bcd19d

SHA1
984f07fe0e1d309539e2c5fd271e35ceb6ae5289

SHA256
ce45e4882870b4677cc5221e7d2bcc8db7ea2c14b5107567a24cee010b6f27db

SHA512
e11f993c1084bbd737c480bec7abc0cac94afd317cfc4b7fcae366189b8308a94c56f451dd538710876b61e9aea0c37823f3f2c2b8ab7127cf14e035aa7660ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c344df6e08b65371c6cd9af9a3e8f428

SHA1
93e21fbab1051c5ed6e3ebc57ff245454410cf75

SHA256
ddadfe701a937105b9e5929a39add944fcc15870038777062d78d64af5812433

SHA512
6096bef9eb6c3a350267a42ba4e6fe672a729cb34b9e9c493c1e6110b10523d969037cbab652385a61e685a75b94a796d10506b082fbeec68d2e3ae8e9af5fae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
438e92a2a2bb8addb6701e62b75402bf

SHA1
0792534fc907326c3d46b151bdf900d8a59b92b6

SHA256
8a621140e61f9701e42a02e6f6a3a74c3ab1ca8fc291c952f09889ed628f6a7b

SHA512
111b4c7fc2760c3dc5379c815fb3744611e9b78397cca6cac0c68a5b1f9ae45a3ba35e6879de4123694c15a971677087ec8756d96916414658aad8bad9e5685d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca185399f30e860f36de8d1d147b8c97

SHA1
6c45986643e4588e85a6ed373c906919046e10c6

SHA256
f0175a9664fdfa9f5296909ca1bd979c03c7873db2c1193d820cd532d99269ac

SHA512
f6385a90f50fd6d092ef940b2826ab85af67b1db88ae715835dfb0d077a0c3b76f1fdfa78165c7036ed2fc77320b498d652ee3aacdb5bb743f61df4791108a6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb97b6a5efe5d0ef257e33f39630ac4f

SHA1
06fb5b80c54ad5474257fbecab08d9c4bae5ef80

SHA256
bc9e8b1507ed4e82dac3d20dc4549376e52dba9cdf667bdbf982d533bb503fc9

SHA512
157f9fda326e08c6dfabcb946b05f20ecf2d2e0879c43461696674f36c1f52a8064a5abb61dea5fd9a6c17f54ceca6de6a67ac302f9db130b6ad41878f049648

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7022c7f89a717b0fce2fbbcf37ac2f7f

SHA1
6b055312956890e2d5e34f0ff078512e5d0f5f32

SHA256
a2fd14ec1a0f6c2b6eba480b1244ecfa8a803e2318e08459ab825294194f8ba8

SHA512
51bcc3bcded50ba30e5b28d3cb968bf464e2c5bca30f64043cd05066bcf7ea861c21e42da0a4352e80a866ad08044843fe5b3e62456110805169245ceeca365c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat

Filesize
239B

MD5
d51237e48d1094bd186f0a61b724dc90

SHA1
1e388c06e645b8e52f264073acfefdaef75442bd

SHA256
0db43b67de8e883c6563190a52650e76719e3ef8ca9cc0d481eef590742cdfd2

SHA512
268433961163b7862455b4091c65c1f318811d7af97a12717fba70bf9de7851fb5ac62ded56ce016e5b869a0fc54917fea5c159b0571491ff0a5fcde3c034e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat

Filesize
239B

MD5
2776668137c7954aebd2ee1ea725aff2

SHA1
388b206ecad221daa26e05f9784b265ca5392dd4

SHA256
e6b917a6764d733b7420269b611de670bd13b17854c828f95b9c75900e5b2cd6

SHA512
8b32c746ddc0259ce94acd861498ef67ace3817ccf9c94ba9501e3b02727366db6f330979c1c8e2eccd6cefb9098b5b72742cc2fed57cf023374f3ed74ee5401

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat

Filesize
239B

MD5
af0ff4fe28657fcf81cc44055c4e52db

SHA1
0d3c7758358d5697fd64abc128362fa97718d066

SHA256
7ed7f4dd53327564df0e88fbb879275068785805154557ce79d4ec84fa15fb34

SHA512
8f6c28a03ceba75de880e0c4e08871babe478d899510f718385ffb771f2be868e64ed9c0c940f1e6e8b9e1a7a4234da0875fc26293bc5a9f0a133c217f046237

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
239B

MD5
c70645d709d68183dca8cf1eff4f99f3

SHA1
cdcc41c619504bc289274181e232086b86c5c6b0

SHA256
fd2dacc18027985711bea69d60cbcce55acfc2fa3db5fd15c5f68b7b8d385992

SHA512
3e77a3f3b6d8559688524231d8e05471349ab02b1952e98e49b921b9fb14a2a1bf9adc1385326068890867c8357671e34b879075f5a4fb7f22e2c0d603c97e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat

Filesize
239B

MD5
82bd170d56d41ae27b50338ecf6cc25d

SHA1
964362605e4a4d02d088e3de57ada75830083c9f

SHA256
c4d157c71a0b65961878facbbc619bb192d697b24d3c0d8a48ae722ce6f0ee20

SHA512
fee210fc9da5d1cc359408f4e2e9490de610da1740c708a6feff76f7b2f342a328a549b459c50befd60fcfa87a7a5a98da5e844c689349321b7f558fbc8d0895

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2232.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat

Filesize
239B

MD5
ac2cc0ec335eaa60ba0b3cbf1bf59f8c

SHA1
5178fdecb91a4fa3c63bece1f58e7ebe34f2a316

SHA256
a3e5db0209f1ad7074f43cfe16f189703fa977f13a3f3450a6f042c79075f4ca

SHA512
a9712430896bef1b999ccae955a3eea51ef358cae4713f4a6e5f9063ce27242f193c6858b8aaf303e9a5a7411515ae71249f90e02122f9dd7ad04f4c243ee1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2255.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

Filesize
239B

MD5
783b3976008901c8b96256eaefbdbc16

SHA1
c39c1a0d75e74580240c5f69fc4f54e7a108fc29

SHA256
e25579282f6f0b45b15236293974fb093d823e6285eb8da4dfdd03eea652ac6f

SHA512
fcc5b038958b04cedcb9fd0b988b7d511c638ff2d99384b35c76ed337c101ab4ded2a17d4e1dff84a570d4777cb2d5d29ad209bd7025c955b28df5cc5f04e978

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

Filesize
239B

MD5
49785c5a57e1e81c01027a9ccd387001

SHA1
e68b79b917d3186fd012afee63b2f1aa672ef34e

SHA256
856407c8ba73acd7dadc89b6a7135378a211dbeebe7bec52f348ca38c9f158a7

SHA512
f1830f70ef0f44b3dac99cb36a8be735312285edb564f3780b6e00f3598eb59272f1682ff783796cc624f6077682cd1762155b69bf1f62f8762f5e53577667e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\crRU6Ya2tl.bat

Filesize
239B

MD5
cb3bd9625d111e90f71dd845b7dacfd3

SHA1
bbc0deb53debe902eb885fd27e144e5669dd6482

SHA256
41779d6268ad8f9055b50c8035fb6a51ca94de6d76965f7813145912ca4c57a2

SHA512
f87698d58bc23a543044244194bdac3fe912047194178dd2ee93a927ceb494f1c2fd902cda6e19eebefb765caf4740116c988acfa7e295da3e60eb3ca5c9f027

Download Submit
C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat

Filesize
239B

MD5
2f88dc8ec78ba9afc7285545df45b844

SHA1
eeba25eb61930ea3543ef19cf8472b63a54c4ae6

SHA256
7f8e97cb1f93e97656628f187e59ff40218d1224fa8bf516d88e10b21bc48a05

SHA512
ac9b211231194965dd8c84f3edf825a83e8c04f48a29e233de142ac141aff8e810f4934b5878f36261b00f347e71a2f530352723e66bbe38525d3bc8a6046533

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat

Filesize
239B

MD5
fd02605975b047d22ef9184b71ef3856

SHA1
1828c2cd52be138fc358623005bf1987147e81ad

SHA256
a056fb8600022527c41d19b68908bcd62a9bc4ba19fcf15eb08a6232f3d1ada0

SHA512
075fa65e284e63df1eff1bd7f00f3eeef869f3901be3a283d81301ec27a5c65fd995c1971ae47cbdfe9472a0f4d8d6bb3368c3692197936de708bb3a4574b0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat

Filesize
239B

MD5
dbe07114714ca50f7282fbe94336b3a7

SHA1
1f83955dd3521d0a3a1a959ddb7f41685a12330f

SHA256
89aec009ec096db545bdc3481299fefcc1f3d7c59eab0242e6aa36eb541e63a3

SHA512
1c4b03b8d2a9261dd9201bd238498a01121ae22aff62be9d2a822187120bc62371c89e65c98ea058d150b000c1e9525ebf9fb3de38fe585de13083192c5a8856

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4b7241b5b3f2da27976ceb2f6d33706d

SHA1
6d1f7cc9ea6751ffe61ca850552420ca82c5a26f

SHA256
4ed03fcf6046ab6812cbe0a5e6d691f25d398581ff61de71cb09d4e5dec7eed7

SHA512
fdfd59b279197f31edefc4f0644c6e45ef002082a89e41ea9b59954085458243965ca1bd09b0ff4e5b143bcbd8c3d025b968858d085b4ae3d56e2adad4806188

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/956-273-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download
memory/956-274-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/988-630-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

Filesize
1.1MB

Download
memory/1524-79-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1524-42-0x0000000000AF0000-0x0000000000C00000-memory.dmp

Filesize
1.1MB

Download
memory/1968-49-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1968-48-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2348-153-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download
memory/2568-213-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/2596-570-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/2644-808-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download
memory/2644-809-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2668-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2668-16-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2668-15-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2668-14-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/2668-13-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download