dcrat | bfee365652897f2e92416a7c324f3fd7b02519e66b01c7938e134d39c038fe9a

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_bfee365652897f2e92416a7c324f3fd7b02519e66b01c7938e134d39c038fe9a.exe
Size

1.3MB
MD5

cca2dbd90153d4946d3532466677a006
SHA1

61c70c0363d4784e4790e8b0641056dc1ae64672
SHA256

bfee365652897f2e92416a7c324f3fd7b02519e66b01c7938e134d39c038fe9a
SHA512

d36e12b5ebfd0ced7a437aab13d689d06e8d2c41b62b4c3d336f8d12516f4d1824656a8a9a2903726b3dea39c02ad488afdda80485a2ef4225b2f5170f506ae5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2784	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2784	schtasks.exe	35

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016de4-9.dat	dcrat
behavioral1/memory/3024-13-0x0000000000FF0000-0x0000000001100000-memory.dmp	dcrat
behavioral1/memory/1748-55-0x0000000001180000-0x0000000001290000-memory.dmp	dcrat
behavioral1/memory/1060-180-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/1724-240-0x0000000000E20000-0x0000000000F30000-memory.dmp	dcrat
behavioral1/memory/3052-300-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/1972-420-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/600-481-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/1664-541-0x00000000012D0000-0x00000000013E0000-memory.dmp	dcrat
behavioral1/memory/2516-601-0x0000000000300000-0x0000000000410000-memory.dmp	dcrat
behavioral1/memory/2852-661-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1044	powershell.exe
3048	powershell.exe
1932	powershell.exe
2924	powershell.exe
1076	powershell.exe
1004	powershell.exe
1016	powershell.exe
2212	powershell.exe
3056	powershell.exe
1188	powershell.exe
2220	powershell.exe
2920	powershell.exe
2376	powershell.exe
3016	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
3024	DllCommonsvc.exe
1748	audiodg.exe
1060	audiodg.exe
1724	audiodg.exe
3052	audiodg.exe
2516	audiodg.exe
1972	audiodg.exe
600	audiodg.exe
1664	audiodg.exe
2516	audiodg.exe
2852	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
3028	cmd.exe
3028	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
38	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\56085415360792	DllCommonsvc.exe
File created	C:\Windows\Web\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Web\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\en-US\cmd.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\en-US\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\en-US\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\wininit.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bfee365652897f2e92416a7c324f3fd7b02519e66b01c7938e134d39c038fe9a.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1328	schtasks.exe
2724	schtasks.exe
1912	schtasks.exe
300	schtasks.exe
1516	schtasks.exe
1384	schtasks.exe
2648	schtasks.exe
2828	schtasks.exe
2340	schtasks.exe
800	schtasks.exe
2600	schtasks.exe
1684	schtasks.exe
2368	schtasks.exe
780	schtasks.exe
2528	schtasks.exe
1488	schtasks.exe
2380	schtasks.exe
1620	schtasks.exe
2548	schtasks.exe
2392	schtasks.exe
2736	schtasks.exe
1796	schtasks.exe
1760	schtasks.exe
2148	schtasks.exe
748	schtasks.exe
2304	schtasks.exe
1332	schtasks.exe
3032	schtasks.exe
1524	schtasks.exe
408	schtasks.exe
2584	schtasks.exe
2732	schtasks.exe
2844	schtasks.exe
2188	schtasks.exe
1972	schtasks.exe
2112	schtasks.exe
764	schtasks.exe
2908	schtasks.exe
1980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3024	DllCommonsvc.exe
1044	powershell.exe
3016	powershell.exe
2924	powershell.exe
1016	powershell.exe
1188	powershell.exe
2212	powershell.exe
2220	powershell.exe
1932	powershell.exe
2920	powershell.exe
1004	powershell.exe
2376	powershell.exe
3056	powershell.exe
1076	powershell.exe
3048	powershell.exe
1748	audiodg.exe
1060	audiodg.exe
1724	audiodg.exe
3052	audiodg.exe
2516	audiodg.exe
1972	audiodg.exe
600	audiodg.exe
1664	audiodg.exe
2516	audiodg.exe
2852	audiodg.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	DllCommonsvc.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1748	audiodg.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	1060	audiodg.exe
Token: SeDebugPrivilege	1724	audiodg.exe
Token: SeDebugPrivilege	3052	audiodg.exe
Token: SeDebugPrivilege	2516	audiodg.exe
Token: SeDebugPrivilege	1972	audiodg.exe
Token: SeDebugPrivilege	600	audiodg.exe
Token: SeDebugPrivilege	1664	audiodg.exe
Token: SeDebugPrivilege	2516	audiodg.exe
Token: SeDebugPrivilege	2852	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 268 wrote to memory of 2020	268	JaffaCakes118_bfee365652897f2e92416a7c324f3fd7b02519e66b01c7938e134d39c038fe9a.exe	31
PID 268 wrote to memory of 2020	268	JaffaCakes118_bfee365652897f2e92416a7c324f3fd7b02519e66b01c7938e134d39c038fe9a.exe	31
PID 268 wrote to memory of 2020	268	JaffaCakes118_bfee365652897f2e92416a7c324f3fd7b02519e66b01c7938e134d39c038fe9a.exe	31
PID 268 wrote to memory of 2020	268	JaffaCakes118_bfee365652897f2e92416a7c324f3fd7b02519e66b01c7938e134d39c038fe9a.exe	31
PID 2020 wrote to memory of 3028	2020	WScript.exe	32
PID 2020 wrote to memory of 3028	2020	WScript.exe	32
PID 2020 wrote to memory of 3028	2020	WScript.exe	32
PID 2020 wrote to memory of 3028	2020	WScript.exe	32
PID 3028 wrote to memory of 3024	3028	cmd.exe	34
PID 3028 wrote to memory of 3024	3028	cmd.exe	34
PID 3028 wrote to memory of 3024	3028	cmd.exe	34
PID 3028 wrote to memory of 3024	3028	cmd.exe	34
PID 3024 wrote to memory of 1044	3024	DllCommonsvc.exe	75
PID 3024 wrote to memory of 1044	3024	DllCommonsvc.exe	75
PID 3024 wrote to memory of 1044	3024	DllCommonsvc.exe	75
PID 3024 wrote to memory of 1016	3024	DllCommonsvc.exe	76
PID 3024 wrote to memory of 1016	3024	DllCommonsvc.exe	76
PID 3024 wrote to memory of 1016	3024	DllCommonsvc.exe	76
PID 3024 wrote to memory of 2212	3024	DllCommonsvc.exe	78
PID 3024 wrote to memory of 2212	3024	DllCommonsvc.exe	78
PID 3024 wrote to memory of 2212	3024	DllCommonsvc.exe	78
PID 3024 wrote to memory of 2924	3024	DllCommonsvc.exe	79
PID 3024 wrote to memory of 2924	3024	DllCommonsvc.exe	79
PID 3024 wrote to memory of 2924	3024	DllCommonsvc.exe	79
PID 3024 wrote to memory of 1188	3024	DllCommonsvc.exe	80
PID 3024 wrote to memory of 1188	3024	DllCommonsvc.exe	80
PID 3024 wrote to memory of 1188	3024	DllCommonsvc.exe	80
PID 3024 wrote to memory of 1932	3024	DllCommonsvc.exe	81
PID 3024 wrote to memory of 1932	3024	DllCommonsvc.exe	81
PID 3024 wrote to memory of 1932	3024	DllCommonsvc.exe	81
PID 3024 wrote to memory of 3048	3024	DllCommonsvc.exe	82
PID 3024 wrote to memory of 3048	3024	DllCommonsvc.exe	82
PID 3024 wrote to memory of 3048	3024	DllCommonsvc.exe	82
PID 3024 wrote to memory of 3056	3024	DllCommonsvc.exe	83
PID 3024 wrote to memory of 3056	3024	DllCommonsvc.exe	83
PID 3024 wrote to memory of 3056	3024	DllCommonsvc.exe	83
PID 3024 wrote to memory of 2220	3024	DllCommonsvc.exe	84
PID 3024 wrote to memory of 2220	3024	DllCommonsvc.exe	84
PID 3024 wrote to memory of 2220	3024	DllCommonsvc.exe	84
PID 3024 wrote to memory of 2376	3024	DllCommonsvc.exe	86
PID 3024 wrote to memory of 2376	3024	DllCommonsvc.exe	86
PID 3024 wrote to memory of 2376	3024	DllCommonsvc.exe	86
PID 3024 wrote to memory of 3016	3024	DllCommonsvc.exe	91
PID 3024 wrote to memory of 3016	3024	DllCommonsvc.exe	91
PID 3024 wrote to memory of 3016	3024	DllCommonsvc.exe	91
PID 3024 wrote to memory of 2920	3024	DllCommonsvc.exe	93
PID 3024 wrote to memory of 2920	3024	DllCommonsvc.exe	93
PID 3024 wrote to memory of 2920	3024	DllCommonsvc.exe	93
PID 3024 wrote to memory of 1004	3024	DllCommonsvc.exe	94
PID 3024 wrote to memory of 1004	3024	DllCommonsvc.exe	94
PID 3024 wrote to memory of 1004	3024	DllCommonsvc.exe	94
PID 3024 wrote to memory of 1076	3024	DllCommonsvc.exe	95
PID 3024 wrote to memory of 1076	3024	DllCommonsvc.exe	95
PID 3024 wrote to memory of 1076	3024	DllCommonsvc.exe	95
PID 3024 wrote to memory of 1748	3024	DllCommonsvc.exe	96
PID 3024 wrote to memory of 1748	3024	DllCommonsvc.exe	96
PID 3024 wrote to memory of 1748	3024	DllCommonsvc.exe	96
PID 1748 wrote to memory of 1040	1748	audiodg.exe	104
PID 1748 wrote to memory of 1040	1748	audiodg.exe	104
PID 1748 wrote to memory of 1040	1748	audiodg.exe	104
PID 1040 wrote to memory of 2732	1040	cmd.exe	106
PID 1040 wrote to memory of 2732	1040	cmd.exe	106
PID 1040 wrote to memory of 2732	1040	cmd.exe	106
PID 1040 wrote to memory of 1060	1040	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfee365652897f2e92416a7c324f3fd7b02519e66b01c7938e134d39c038fe9a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfee365652897f2e92416a7c324f3fd7b02519e66b01c7938e134d39c038fe9a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
    - - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2732
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SvvYNrLnHE.bat"
        8⤵
        
        PID:296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2708
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
        10⤵
        
        PID:1236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2652
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat"
        12⤵
        
        PID:700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1984
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"
        14⤵
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1156
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"
        16⤵
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2988
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat"
        18⤵
        
        PID:2016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1408
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"
        20⤵
        
        PID:2424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2636
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
        22⤵
        
        PID:2580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2768
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat"
        24⤵
        
        PID:1692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Web\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\Crashpad\reports\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\Crashpad\reports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c34e23090e473975b2ede84a7fb7ca96

SHA1
6f15916afc333c88f8827b17e788e59357fbb604

SHA256
2991f459ea9a483fbbe073b93fac7a3c746e9ab7ae0300f86577140d39684a61

SHA512
ccb47236c70e7f29acc7c7eac959222ba197d4b5f750553b3fe7753c61e703497e70136e238d915bd6020b04b21dc5971d41b92755e66b373204fedf88896551

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfa04191f754dc3d552a07cacf0cc33d

SHA1
47730da08a0075f7763c0994c6635c00e35a0f5d

SHA256
db86807596b535fa3286aca55284e3efdd35ac3d596a2effcbf14e4684c4b5af

SHA512
7c03da2a98b70f973c87ef91590eda89010c0502650f6c4eb36b73fc087cc5da69f6c0d33beb05b3587e03805f64d9e536dc7f002f0f53f1fa5d93f12ae6f4d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92a808fee0c526f6bb36309798ac9de9

SHA1
925a33851720fb861e6eb4e3b2cce5f59271c40d

SHA256
53e0a9aa26cdcae9d9a2ffb906eb13a310000c8a0504f3893e12e00adc4c63a1

SHA512
fd2952e666560db18b5697a28fbc4afe5916759cc138b5876d63b12b6b9f008c401abfa9105691d22748fab24c8dae86fc0a7d7d21309bc2100acc9f6ade90c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6d6682c6171d231865027d349b0b973

SHA1
cc2af373010492598a2210175be1409d304367a8

SHA256
6dbc514cd7180e188ec41b35a80ba60ae0d8b40ba85bc1ff33795c466ad62f78

SHA512
1bbb0b1a89b3a3553cc02d831f7728aaf6c971582cd21b8233363bf4fbe3af587d3b9c8b80de196b1896f671c15c9ac4cce4e6048c06e152d77a7172687d9144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b65802b36130a78917951582756797b

SHA1
acb62a49c24be3ccd6702290670038ef9b02144e

SHA256
db8a66750b309d0c39bd6f9b5d82dc643bc8194cb3c291451cd18769cd4a1bce

SHA512
c88d7aeefdccce93411efc602f56596bdc8453809b685ae01a1d8317a92b6f6708c31e349a3ebab3a84b4c38ca09bc687220d45c94518e897697a96953029e6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f1faff54dee6794de56ce33c1771913

SHA1
974873ba0438be1f2c9f823825b05e604bac591e

SHA256
dc1b503d684c999dd6c9e1004e2e1fa93393d9e498d380556da6b7252a0e7de2

SHA512
64f3b0e808e8d0b9ff69b5f62538a7e9b8cad25eef2454e186706458a0664888540cf0dbd5d8c1cb36c81b6ee6aaf3d59937abbcecd0d603302b312a512a9e98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb473fc6a61051548f0061b2f937d98b

SHA1
b053c333d64073b90a197125f97d4265cd2253d5

SHA256
e4aba6ce757d42ce6c9c5e35d099d5d6f48dbda24f5276a94506765fb8d207dd

SHA512
32a7851ac2c2975f31f7e9edd6e6355448f979b01f315e3b9121fccb8e273ded9ce1ae890ec8147193121b8af10c7aaffae7af0013b49cccebc7f826830b6924

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34a6b75624dca7bc6805669e26c8b087

SHA1
5783c82be40837f4a0873418d7dbe0ae3f05a0e2

SHA256
33af6c09340a63d7ef94f4faa7952192daeb625f79f0983d80d9da6aefe1380a

SHA512
32b7537da10235bf9b0c3449d661882eed498eb252154d1f160305847de55ddb30b483aed20055c10ba179a847582102bdd7e0aefa649f37f85c0762e8dfa336

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54c536a1180c4806f09de2c346b55330

SHA1
d8973fd222e22c3b91a988efea6ff5c5e80e7c01

SHA256
2a934b2a4e4fd68835796e5edc22451239d42ca780b74f2d31b78743953bf0af

SHA512
fe142cdb38faa8b00adb1bcfd84b65c3fab52027e390a3a409b7f0ac18a9dfa2d361f6ecd890e44df6e92434a69ae5a9c08bb3314ebaea3d36aff335cb761cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat

Filesize
225B

MD5
52ef1549e5f853ea1cac02457c69e190

SHA1
fa6f933c9805085787bd274e939ffef38eff6f83

SHA256
7ce50bdc7c20d8554a375e2cd8e74545031189839346f5c5ffa9752ec747f3c3

SHA512
ab5e717391c3bcdac03dad36962abe21e1e593d396c33e30c0279ca19f01ac25ac06cd4cc97ba5f2551c82445f24e66868609ac2377522c0c4a9865d8c41f20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat

Filesize
225B

MD5
4a8a38e3af23a1d7a4b306cec5c92e03

SHA1
820565b5badb3a682c559dab8e7a5e04ba55c68a

SHA256
ff56d6b5c4f3d121110b4dd6797564c8cd3a082746d71f9ef4f64ac1e73b3022

SHA512
93217d1f3e65dd7785bcdad9db4f887788e5b9cf0ccb135a4b0afc3887072a8f4d140e1f8915e09738d07694625ffaaefe6cbc0b9ecea5dd9142dc4d7a1f58fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat

Filesize
225B

MD5
e6952f650a08ad559659b59ab65fe267

SHA1
d157f59eb1889e03f4157e01a4063fd4a681877e

SHA256
610ba686cbaccccf1cd8dd233c3653a8b71d690f679a11ecee4c6806fe8b4b6a

SHA512
e4594bd77216229ed80922ed6b5ff1d72af8dd8eec55674711f01a9e19df65da33f825bc8c542d8a50a5ad075abb61578a1fca7adcfc2829e11a5cadbf4eed6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat

Filesize
225B

MD5
fad7cbb11b15aa8f5a04ad6cc2640c62

SHA1
be4f4bf5e6806f8cde2aa41352a4022af86d8929

SHA256
0b82f303d2f4e723b4e2f1a7ff89f4cb2c246bb9b63ab0e25b53837d68caa49e

SHA512
715c04e97c9fe13ad24d9b06dad91687c74ae7fd1d1c77d38fa3f2a4d334a1a2aab86871418c980c8e2e9399234a8e77e7bdfa3a1f959078fce66489b28a6139

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat

Filesize
225B

MD5
4b5ce5a6678b12a39bd0d12e13417633

SHA1
220a0276d84fa6af97fd237f8f717fe02c7393d3

SHA256
79b65ed4866583328483613ef9f2d6d0ed911c77832609085d3c57a8bc7b9403

SHA512
06efd861c8dc541e5471e33aec8ae5eaefbea414d9379d645140458695101adf4884f78673592c40063782c78614a06731342a8c657e58db5239568204c789d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9E2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SvvYNrLnHE.bat

Filesize
225B

MD5
b16d51ed330e1471f8fb814691eca346

SHA1
4f911348b16f295541b0926e80dbfe2ee91a22a6

SHA256
914f705dec11925e24c74229d9d3cdef3ac8414040cf2095e93e365fee605f38

SHA512
94cac2c3da72237235ef4963def71973badc9154cc9073746a2be01f772c305d9eea0a8f3f664fe2582679173d9f3df26ce5c61a8e54c0aa3baa90de68aa9519

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA04.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat

Filesize
225B

MD5
376de664bcc5862711c220066d0e0fd0

SHA1
1fd17122df8913f05c19c7b17446fc39dd500119

SHA256
f4267254621c0e006ce1e825a8046babedbe7ce0cec9f2bac9b0bb69c5a95288

SHA512
5b5808a132231b8c7765699ec794a1a9b7a2069ac4e11944f5643c9e78d640b1c60840d7261a06bbb2e20dacdffe887a6763e69d422f990b775675807019d904

Download Submit
C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

Filesize
225B

MD5
5b2f5234af0877c3591634a0f3d19086

SHA1
f488c062028aec0f7cfc5501f1db4139207eaf52

SHA256
3cec25117f8e04dd336e2a3240a35e5d44f606e47a68f3e00a68ed16487b856d

SHA512
f1b98036190e3751679d1f12f4d1308e2eb605bf80a5f770302853f1b18ff2db5e74bc5fab754201336719c9218d231448162ed46340a1ffe628936bf228835a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat

Filesize
225B

MD5
1e2ac70a781daabbfa55e0d21379ac7d

SHA1
f6018ba6b40e9692cd95a17b8a639f19c5fb4798

SHA256
0c7e4a183bca2c1b39ef592014cebf28508a5034c4e9ba9b626f19f5df18660a

SHA512
ecef4be54525553654228fb0eb0da9148af37e21dbcd19c5a99249a98f0e0d916f720141a9b6bff3d5771d61fb7a14cac43b6ad391edd494c4e78b3a8f74826d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat

Filesize
225B

MD5
b8fbd908642556aecdae8a2ba10ba4ca

SHA1
7ced9959e31e68554fcd03af3b441ed17b6b23f3

SHA256
4d38d4319f2f4c3116b1ac43645a45e005af80f2e13f2bc91d5960ce0bff6617

SHA512
61797f19dc3d25902a81038088417575cb2d958739911c368450d9574c2ab1f592ab62ffe222e524d6ef5d5ef12be0286d1255e3f256d63ff57cb0740c22e5fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1L8VLBN0DVVTRE37P1NU.temp

Filesize
7KB

MD5
2c2e9b9530c28da69ac1cd378861ee32

SHA1
a2dad9140467bdd9b3b4999aa447ceb621128691

SHA256
231468f456c27341c61c00f316d92fc485291b7119f472eb77c1215100b492cf

SHA512
2b96ca8c431c5c8b72f89ad2dea091054f74c8588e242bc2b21c61e9c630f4b8581aac27e9ba195284b7cd08e034480b1c1dec64eeaf792cdd034d481287450a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/600-481-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/1044-71-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1060-180-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/1664-541-0x00000000012D0000-0x00000000013E0000-memory.dmp

Filesize
1.1MB

Download
memory/1724-240-0x0000000000E20000-0x0000000000F30000-memory.dmp

Filesize
1.1MB

Download
memory/1748-55-0x0000000001180000-0x0000000001290000-memory.dmp

Filesize
1.1MB

Download
memory/1972-420-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/1972-421-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2516-601-0x0000000000300000-0x0000000000410000-memory.dmp

Filesize
1.1MB

Download
memory/2852-661-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/3016-72-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/3024-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/3024-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/3024-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/3024-13-0x0000000000FF0000-0x0000000001100000-memory.dmp

Filesize
1.1MB

Download
memory/3024-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/3052-301-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/3052-300-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download