dcrat | ef68545981106cad8a3672372e707e4e8d508666c9daa9039bee329f077ef7ae

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ef68545981106cad8a3672372e707e4e8d508666c9daa9039bee329f077ef7ae.exe
Size

1.3MB
MD5

9ef1cfe015dc82aceff0c8692e7c4a2b
SHA1

8c8bf82f29261f45d7daef840e7bf3813924dc17
SHA256

ef68545981106cad8a3672372e707e4e8d508666c9daa9039bee329f077ef7ae
SHA512

c69765804d634b0663d414271e39d3720e53561e381dcb2e495217f813f9e2e3ce52baa128d0d279ed4fce9278ce0dc2ab188a9d769f2fd35c8090bca83229ea
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	3008	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d0d-11.dat	dcrat
behavioral1/memory/1332-13-0x0000000000C00000-0x0000000000D10000-memory.dmp	dcrat
behavioral1/memory/2808-120-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/1036-238-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/1424-299-0x0000000001180000-0x0000000001290000-memory.dmp	dcrat
behavioral1/memory/1152-478-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2544	powershell.exe
3048	powershell.exe
1740	powershell.exe
1028	powershell.exe
1656	powershell.exe
1168	powershell.exe
2584	powershell.exe
2576	powershell.exe
2152	powershell.exe
2424	powershell.exe
988	powershell.exe
2248	powershell.exe
3004	powershell.exe
1752	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1332	DllCommonsvc.exe
2992	csrss.exe
2808	csrss.exe
2504	csrss.exe
1036	csrss.exe
1424	csrss.exe
944	csrss.exe
3028	csrss.exe
1152	csrss.exe
1680	csrss.exe
1292	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2256	cmd.exe
2256	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
33	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system\winlogon.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\system\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\system\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Windows\ShellNew\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\ShellNew\cc11b995f2a76d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ef68545981106cad8a3672372e707e4e8d508666c9daa9039bee329f077ef7ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2784	schtasks.exe
2224	schtasks.exe
2940	schtasks.exe
2004	schtasks.exe
752	schtasks.exe
2264	schtasks.exe
1624	schtasks.exe
1268	schtasks.exe
1664	schtasks.exe
808	schtasks.exe
2996	schtasks.exe
1728	schtasks.exe
2176	schtasks.exe
2976	schtasks.exe
2196	schtasks.exe
1228	schtasks.exe
992	schtasks.exe
400	schtasks.exe
3060	schtasks.exe
2840	schtasks.exe
2580	schtasks.exe
1992	schtasks.exe
2092	schtasks.exe
1488	schtasks.exe
2600	schtasks.exe
320	schtasks.exe
2480	schtasks.exe
2676	schtasks.exe
2828	schtasks.exe
2320	schtasks.exe
908	schtasks.exe
2608	schtasks.exe
2872	schtasks.exe
2412	schtasks.exe
1128	schtasks.exe
1680	schtasks.exe
2460	schtasks.exe
2292	schtasks.exe
1256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1332	DllCommonsvc.exe
2248	powershell.exe
2576	powershell.exe
1028	powershell.exe
1656	powershell.exe
3048	powershell.exe
1168	powershell.exe
3004	powershell.exe
2544	powershell.exe
2584	powershell.exe
1740	powershell.exe
2424	powershell.exe
988	powershell.exe
1752	powershell.exe
2152	powershell.exe
2808	csrss.exe
2504	csrss.exe
1036	csrss.exe
1424	csrss.exe
944	csrss.exe
3028	csrss.exe
1152	csrss.exe
1680	csrss.exe
1292	csrss.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1332	DllCommonsvc.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2808	csrss.exe
Token: SeDebugPrivilege	2504	csrss.exe
Token: SeDebugPrivilege	1036	csrss.exe
Token: SeDebugPrivilege	1424	csrss.exe
Token: SeDebugPrivilege	944	csrss.exe
Token: SeDebugPrivilege	3028	csrss.exe
Token: SeDebugPrivilege	1152	csrss.exe
Token: SeDebugPrivilege	1680	csrss.exe
Token: SeDebugPrivilege	1292	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1052	2420	JaffaCakes118_ef68545981106cad8a3672372e707e4e8d508666c9daa9039bee329f077ef7ae.exe	30
PID 2420 wrote to memory of 1052	2420	JaffaCakes118_ef68545981106cad8a3672372e707e4e8d508666c9daa9039bee329f077ef7ae.exe	30
PID 2420 wrote to memory of 1052	2420	JaffaCakes118_ef68545981106cad8a3672372e707e4e8d508666c9daa9039bee329f077ef7ae.exe	30
PID 2420 wrote to memory of 1052	2420	JaffaCakes118_ef68545981106cad8a3672372e707e4e8d508666c9daa9039bee329f077ef7ae.exe	30
PID 1052 wrote to memory of 2256	1052	WScript.exe	31
PID 1052 wrote to memory of 2256	1052	WScript.exe	31
PID 1052 wrote to memory of 2256	1052	WScript.exe	31
PID 1052 wrote to memory of 2256	1052	WScript.exe	31
PID 2256 wrote to memory of 1332	2256	cmd.exe	33
PID 2256 wrote to memory of 1332	2256	cmd.exe	33
PID 2256 wrote to memory of 1332	2256	cmd.exe	33
PID 2256 wrote to memory of 1332	2256	cmd.exe	33
PID 1332 wrote to memory of 1656	1332	DllCommonsvc.exe	74
PID 1332 wrote to memory of 1656	1332	DllCommonsvc.exe	74
PID 1332 wrote to memory of 1656	1332	DllCommonsvc.exe	74
PID 1332 wrote to memory of 2248	1332	DllCommonsvc.exe	75
PID 1332 wrote to memory of 2248	1332	DllCommonsvc.exe	75
PID 1332 wrote to memory of 2248	1332	DllCommonsvc.exe	75
PID 1332 wrote to memory of 3004	1332	DllCommonsvc.exe	76
PID 1332 wrote to memory of 3004	1332	DllCommonsvc.exe	76
PID 1332 wrote to memory of 3004	1332	DllCommonsvc.exe	76
PID 1332 wrote to memory of 2576	1332	DllCommonsvc.exe	77
PID 1332 wrote to memory of 2576	1332	DllCommonsvc.exe	77
PID 1332 wrote to memory of 2576	1332	DllCommonsvc.exe	77
PID 1332 wrote to memory of 2544	1332	DllCommonsvc.exe	78
PID 1332 wrote to memory of 2544	1332	DllCommonsvc.exe	78
PID 1332 wrote to memory of 2544	1332	DllCommonsvc.exe	78
PID 1332 wrote to memory of 1168	1332	DllCommonsvc.exe	79
PID 1332 wrote to memory of 1168	1332	DllCommonsvc.exe	79
PID 1332 wrote to memory of 1168	1332	DllCommonsvc.exe	79
PID 1332 wrote to memory of 3048	1332	DllCommonsvc.exe	80
PID 1332 wrote to memory of 3048	1332	DllCommonsvc.exe	80
PID 1332 wrote to memory of 3048	1332	DllCommonsvc.exe	80
PID 1332 wrote to memory of 2584	1332	DllCommonsvc.exe	81
PID 1332 wrote to memory of 2584	1332	DllCommonsvc.exe	81
PID 1332 wrote to memory of 2584	1332	DllCommonsvc.exe	81
PID 1332 wrote to memory of 1740	1332	DllCommonsvc.exe	82
PID 1332 wrote to memory of 1740	1332	DllCommonsvc.exe	82
PID 1332 wrote to memory of 1740	1332	DllCommonsvc.exe	82
PID 1332 wrote to memory of 1028	1332	DllCommonsvc.exe	83
PID 1332 wrote to memory of 1028	1332	DllCommonsvc.exe	83
PID 1332 wrote to memory of 1028	1332	DllCommonsvc.exe	83
PID 1332 wrote to memory of 1752	1332	DllCommonsvc.exe	84
PID 1332 wrote to memory of 1752	1332	DllCommonsvc.exe	84
PID 1332 wrote to memory of 1752	1332	DllCommonsvc.exe	84
PID 1332 wrote to memory of 2152	1332	DllCommonsvc.exe	85
PID 1332 wrote to memory of 2152	1332	DllCommonsvc.exe	85
PID 1332 wrote to memory of 2152	1332	DllCommonsvc.exe	85
PID 1332 wrote to memory of 2424	1332	DllCommonsvc.exe	86
PID 1332 wrote to memory of 2424	1332	DllCommonsvc.exe	86
PID 1332 wrote to memory of 2424	1332	DllCommonsvc.exe	86
PID 1332 wrote to memory of 988	1332	DllCommonsvc.exe	87
PID 1332 wrote to memory of 988	1332	DllCommonsvc.exe	87
PID 1332 wrote to memory of 988	1332	DllCommonsvc.exe	87
PID 1332 wrote to memory of 2992	1332	DllCommonsvc.exe	102
PID 1332 wrote to memory of 2992	1332	DllCommonsvc.exe	102
PID 1332 wrote to memory of 2992	1332	DllCommonsvc.exe	102
PID 844 wrote to memory of 1992	844	cmd.exe	106
PID 844 wrote to memory of 1992	844	cmd.exe	106
PID 844 wrote to memory of 1992	844	cmd.exe	106
PID 844 wrote to memory of 2808	844	cmd.exe	107
PID 844 wrote to memory of 2808	844	cmd.exe	107
PID 844 wrote to memory of 2808	844	cmd.exe	107
PID 2808 wrote to memory of 2132	2808	csrss.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ef68545981106cad8a3672372e707e4e8d508666c9daa9039bee329f077ef7ae.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ef68545981106cad8a3672372e707e4e8d508666c9daa9039bee329f077ef7ae.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\it-IT\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
    - - C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        5⤵
        Executes dropped EXE
        
        PID:2992
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lg1oIatdTn.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1992
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"
        8⤵
        
        PID:2132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:944
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"
        10⤵
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2888
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat"
        12⤵
        
        PID:2964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2992
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
        14⤵
        
        PID:1648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2832
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"
        16⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3052
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
        18⤵
        
        PID:1732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:276
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat"
        20⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1128
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat"
        22⤵
        
        PID:1796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2012
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\system\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\system\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\system\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ShellNew\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellNew\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64ef869316739405cffa8d28643101d2

SHA1
7b620d11d23174556c3fb350a501f555aedfeb90

SHA256
576e56849927bb5dd2f0c4f169b146c715dd0d9ca6505cb4fd4f5e73f4cc3867

SHA512
55df263bc4aa914c0e2a5456552a902ab779ee9f8c727ab71f2a929510e97b0af985ede3b8c258d67c3f03274db09276f195b4f0df1670b81fe9ca9aa55fc902

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b4b3492ca1375a23ff45edb74b08b82

SHA1
0ad12b4dd09660792d10b02a84766e7e224accdb

SHA256
3c58b47120949c006d2851c846e94f6d1e0fa8f838e7097774ec92abf1edcba3

SHA512
4be2fa2e0e3370b79479ac8153162a17dd7089ba06e7064b3bf7afbec3dcd824c711302aa5494d5c1fd76e59b8a9acbea8ae32c483997aeb6d1857a82ae4746b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1642efe2833e04e3416f19cb75cf63e

SHA1
990954343b929a96a0784ce5838365f193405b30

SHA256
24e9a0a72c5dbaa98a12280e00a5ddf591e1cb88e369e52797be0fbddb7536a3

SHA512
9b64fa5c70b31ac856c2a5d4f49c8f11b0dc26223cd03618ce6c13633a920143b09b2d839fa0fce8a9bcc037c989a31873d8e1231ca0e8ddbd1c9143d2453731

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
728df4cbc7bf5f221af8221630665631

SHA1
4ceabe9b582b49981ff8cb81be35aa4d375dc29d

SHA256
09628fa1ea5123d3ef2bd311e2ccb9b10921cc918750ea89c72db7929a77d6af

SHA512
3765953798297b8e8ad71ac4a1027b3c28a026f9856ac5762719a0489c43e467f0b7082c71c17c37761188a9e8cc7b42184ef2489056412ecb832b7a719c533f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
012ad111b40e8d7e62e49a486cf188b1

SHA1
91aa3e14afbb0e592285242924022ee2814d41fb

SHA256
2caa2f220e4b7dec522e9d607ba4db8e3fe1a846248a4e7d69cc03407f80b2c0

SHA512
d826482d119ef0caa500a17b474a6d201f11b36e5c422ba554c748036a129c01933699cae4bb78a72dd6b781928736d843b47d5e624f517ff9415a04db922c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5693ed456cf393cba1fe73a1a5b8a19f

SHA1
0e8d7b8d69114869df8b1d7f191c4eeb923d58ef

SHA256
7f7904bf1ab30fbb1a8988b53e0e461900d3281662f7eebadae91f1ac5425210

SHA512
2ca0b0b3fffede73f5dc28225f4d4cd6066e70d344a01bd80acc90b8df25632a01311f6ab37aeb8b7f92012b027cec1bad2fb6929771c4b084a0a02445571308

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c09d059bda55dcfaf6b1b5b6685713e

SHA1
844ef25c5431e8378c9c76757cd0e5993c15ae9a

SHA256
cc9be5698df1256a9bf621554a9013ef1f71bb7d900900ead9e1d95bc9ef23a8

SHA512
12119cacf48dfca06319eb29712bd9551b5d29323ed472cb6adef8780b690df391e55203058e6e540ad92ff52829222c71a044d5e50d3f74140859f852e15897

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

Filesize
192B

MD5
5121037ea44970319dde8c720aa55834

SHA1
f316cf4f782b49014ab7fa4f1f166cf90e97a7e9

SHA256
b8091c55ffcbdc33c548c072a9a193d0baef47ca051a5413b0349a4b7e5c0944

SHA512
6033208ee0e1e7008a70ac5c59d1e1ed94cba999b099ffba3b371abf06b9bf9142c5dfeb282658ac3e788b7ed65572fb217a8ec385a8d0fc5bf0d10240272cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD4C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD5E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat

Filesize
192B

MD5
46073245c6e87283821fcb4028d573a5

SHA1
2fa111de3829c2820cfaeab1a494523a92183e27

SHA256
301132b6c18fa1450081ade00ce35b9dc5da84b28205ec3a4ece10e35a176a89

SHA512
6f2002b3fe0d529e29417450ace2cff869ad660cd7a1ffc2945f41dac8636780b1d3136b26df38dd5803a9501d6494be6c0b399ef77e5f21e73c29d03db6e153

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat

Filesize
192B

MD5
638184ec796126d7582d7326c6a12650

SHA1
c0023f272c75d88210963947b403dc1ba5defff8

SHA256
dbef5d8e5d346a5db965f07931f43a689e2a637d7fee9e13dd368d8b59b90e95

SHA512
7fa7d59e2a8f907de35f88d04611bb753f5e1775938a06b48a3f4c07ac4d9e3e47896570f8845584511e311ce84a68ad7ce42f2e6c1cf32e9ac5119c56254b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat

Filesize
192B

MD5
7cd774ea18ad61e95ed550fc3747f474

SHA1
1e3b12fa37cd3eb5a5cfd0e68ee9ae2212ea39e1

SHA256
a94796844ba469cf1a54f06dc35e522e7f003a9587e5f734aacc003c104f25d1

SHA512
8e696fea22a46f9d5e60730f4b4d79572254a411556f7436219d9b79005aebba06a0017fde7add8a92dc9c46587388365e845accff800a665ed984d903efcf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat

Filesize
192B

MD5
72c3acdccf34c5b27283483717a776d0

SHA1
54455679d06c8ce57ecd6b794510183e19619c20

SHA256
e6a58525b9537f7304d11f3f714f1cadc34de96d04f7acd6a8ff8047281c3dfa

SHA512
6c518e2f1b11461a4b0fb6173175e5b55bca53a132cf2b3382d4fee08b999e70dfdc4bdb8d91a5c44acdca99cd68aa99aa22c6a506bacf750ca62124ecc994be

Download Submit
C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat

Filesize
192B

MD5
e47efddd3ab895352278d61f944f206c

SHA1
98690e0423879ba149b2bc81100ee7461c734848

SHA256
332ffa48fa851072b9121db41e9f41a2164df90e2d5af89b54cadb768c31b9d5

SHA512
65abd8ca84143ce406429cd77378dc4d6320dc24c5e461266abbc6cc26a95a043ac0167df9342fe26317546881578c135638c26a3a5587f30502d883d7d58ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat

Filesize
192B

MD5
02fd819c034f96132679351a62f6fe3f

SHA1
7b21b1b8796bcca7710be652417e167f3822db02

SHA256
ac8c97eb26c1410fda327e4b41d22ce8723f27ae291931982d205f3179b08300

SHA512
3dba65757ea6a1beda80343ebcd99721ba4fd2746d8754e440a12082895bf3487bb7800e8d6a8926095d96fb5ec84436cef030f4a08cc7628604ee0fd5480c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

Filesize
192B

MD5
25d00414e126ac29efa1e40b0283cb88

SHA1
4129ccf2772bb1fe5b96c9a6b589177b8be95566

SHA256
c5e0f668346700c77f90effce55eea789a7c8066aaadde6f9f57544f9d67efbd

SHA512
07e0187610c2dfa6987c29f7808eb10cc4fb8402a3be7e8a73371ba76bc5219bd02059df09119deeb042bbfd05f0c63f4c35dbc5953ea8ab10e58f4a0fa50c95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
583b8cdb6df1f71d6e3b08ad13ac454c

SHA1
d97a7601b74e6b15559dab42b89db4f06d2bd6bb

SHA256
f2ee15dc8f1527e23ef0dd8ae7c1ff199084ca8f8df9d7660afafb5955124881

SHA512
86e353cf6a464ec2347a2550579fd4c3802a190e4d07498753ef4ecef5240cef2996da67853909b4c6013bad41d34aa7743be957d0b07c5c9d3354ca07585697

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/944-359-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/1036-238-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/1036-239-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1152-478-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/1292-597-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/1332-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/1332-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/1332-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/1332-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1332-13-0x0000000000C00000-0x0000000000D10000-memory.dmp

Filesize
1.1MB

Download
memory/1424-299-0x0000000001180000-0x0000000001290000-memory.dmp

Filesize
1.1MB

Download
memory/2248-55-0x0000000002AF0000-0x0000000002AF8000-memory.dmp

Filesize
32KB

Download
memory/2248-53-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2808-120-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download