dcrat | 7f2300649f42612f9365430f6892c6558faf0f2d5cd352c46d58417e8ce6efe2

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7f2300649f42612f9365430f6892c6558faf0f2d5cd352c46d58417e8ce6efe2.exe
Size

1.3MB
MD5

126104700a71dc8b27a8c88eb05a0c5b
SHA1

acea174007bef3b159a848d50a11ce6b4b499cc0
SHA256

7f2300649f42612f9365430f6892c6558faf0f2d5cd352c46d58417e8ce6efe2
SHA512

7a878fc9310f915a6687481910bf86e96cbf717277947fd4da9bd8ed4dc6bfc89720323d4af6b12809e1ade0f918524197a943256e32d3ca36226c460b4cb11b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2656	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016ca0-9.dat	dcrat
behavioral1/memory/2620-13-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/2436-59-0x0000000001250000-0x0000000001360000-memory.dmp	dcrat
behavioral1/memory/2816-392-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/1128-452-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/1864-571-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat
behavioral1/memory/1992-691-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1848	powershell.exe
2852	powershell.exe
552	powershell.exe
1564	powershell.exe
2004	powershell.exe
2008	powershell.exe
276	powershell.exe
1516	powershell.exe
1376	powershell.exe
1520	powershell.exe
2044	powershell.exe
684	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2620	DllCommonsvc.exe
2436	audiodg.exe
2452	audiodg.exe
1224	audiodg.exe
552	audiodg.exe
1552	audiodg.exe
2816	audiodg.exe
1128	audiodg.exe
788	audiodg.exe
1864	audiodg.exe
1964	audiodg.exe
1992	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2288	cmd.exe
2288	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
17	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\7a0fd90576e088	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\servicing\fr-FR\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\ShellNew\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\ShellNew\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\ShellNew\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\ShellNew\101b941d020240	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7f2300649f42612f9365430f6892c6558faf0f2d5cd352c46d58417e8ce6efe2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2336	schtasks.exe
952	schtasks.exe
2084	schtasks.exe
1840	schtasks.exe
2068	schtasks.exe
2424	schtasks.exe
2188	schtasks.exe
2760	schtasks.exe
2184	schtasks.exe
700	schtasks.exe
644	schtasks.exe
1184	schtasks.exe
1776	schtasks.exe
1592	schtasks.exe
2108	schtasks.exe
1976	schtasks.exe
2428	schtasks.exe
292	schtasks.exe
1612	schtasks.exe
2172	schtasks.exe
1720	schtasks.exe
1128	schtasks.exe
2244	schtasks.exe
1344	schtasks.exe
2392	schtasks.exe
2128	schtasks.exe
2904	schtasks.exe
1712	schtasks.exe
264	schtasks.exe
924	schtasks.exe
352	schtasks.exe
2096	schtasks.exe
2544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2620	DllCommonsvc.exe
2620	DllCommonsvc.exe
2620	DllCommonsvc.exe
2620	DllCommonsvc.exe
2620	DllCommonsvc.exe
1848	powershell.exe
1520	powershell.exe
1564	powershell.exe
2008	powershell.exe
1376	powershell.exe
684	powershell.exe
2044	powershell.exe
276	powershell.exe
1516	powershell.exe
2004	powershell.exe
2852	powershell.exe
552	powershell.exe
2436	audiodg.exe
2452	audiodg.exe
1224	audiodg.exe
552	audiodg.exe
1552	audiodg.exe
2816	audiodg.exe
1128	audiodg.exe
788	audiodg.exe
1864	audiodg.exe
1964	audiodg.exe
1992	audiodg.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	DllCommonsvc.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	2436	audiodg.exe
Token: SeDebugPrivilege	2452	audiodg.exe
Token: SeDebugPrivilege	1224	audiodg.exe
Token: SeDebugPrivilege	552	audiodg.exe
Token: SeDebugPrivilege	1552	audiodg.exe
Token: SeDebugPrivilege	2816	audiodg.exe
Token: SeDebugPrivilege	1128	audiodg.exe
Token: SeDebugPrivilege	788	audiodg.exe
Token: SeDebugPrivilege	1864	audiodg.exe
Token: SeDebugPrivilege	1964	audiodg.exe
Token: SeDebugPrivilege	1992	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2808	1956	JaffaCakes118_7f2300649f42612f9365430f6892c6558faf0f2d5cd352c46d58417e8ce6efe2.exe	30
PID 1956 wrote to memory of 2808	1956	JaffaCakes118_7f2300649f42612f9365430f6892c6558faf0f2d5cd352c46d58417e8ce6efe2.exe	30
PID 1956 wrote to memory of 2808	1956	JaffaCakes118_7f2300649f42612f9365430f6892c6558faf0f2d5cd352c46d58417e8ce6efe2.exe	30
PID 1956 wrote to memory of 2808	1956	JaffaCakes118_7f2300649f42612f9365430f6892c6558faf0f2d5cd352c46d58417e8ce6efe2.exe	30
PID 2808 wrote to memory of 2288	2808	WScript.exe	31
PID 2808 wrote to memory of 2288	2808	WScript.exe	31
PID 2808 wrote to memory of 2288	2808	WScript.exe	31
PID 2808 wrote to memory of 2288	2808	WScript.exe	31
PID 2288 wrote to memory of 2620	2288	cmd.exe	33
PID 2288 wrote to memory of 2620	2288	cmd.exe	33
PID 2288 wrote to memory of 2620	2288	cmd.exe	33
PID 2288 wrote to memory of 2620	2288	cmd.exe	33
PID 2620 wrote to memory of 1848	2620	DllCommonsvc.exe	68
PID 2620 wrote to memory of 1848	2620	DllCommonsvc.exe	68
PID 2620 wrote to memory of 1848	2620	DllCommonsvc.exe	68
PID 2620 wrote to memory of 276	2620	DllCommonsvc.exe	69
PID 2620 wrote to memory of 276	2620	DllCommonsvc.exe	69
PID 2620 wrote to memory of 276	2620	DllCommonsvc.exe	69
PID 2620 wrote to memory of 1516	2620	DllCommonsvc.exe	71
PID 2620 wrote to memory of 1516	2620	DllCommonsvc.exe	71
PID 2620 wrote to memory of 1516	2620	DllCommonsvc.exe	71
PID 2620 wrote to memory of 1376	2620	DllCommonsvc.exe	72
PID 2620 wrote to memory of 1376	2620	DllCommonsvc.exe	72
PID 2620 wrote to memory of 1376	2620	DllCommonsvc.exe	72
PID 2620 wrote to memory of 1520	2620	DllCommonsvc.exe	73
PID 2620 wrote to memory of 1520	2620	DllCommonsvc.exe	73
PID 2620 wrote to memory of 1520	2620	DllCommonsvc.exe	73
PID 2620 wrote to memory of 2852	2620	DllCommonsvc.exe	74
PID 2620 wrote to memory of 2852	2620	DllCommonsvc.exe	74
PID 2620 wrote to memory of 2852	2620	DllCommonsvc.exe	74
PID 2620 wrote to memory of 2044	2620	DllCommonsvc.exe	76
PID 2620 wrote to memory of 2044	2620	DllCommonsvc.exe	76
PID 2620 wrote to memory of 2044	2620	DllCommonsvc.exe	76
PID 2620 wrote to memory of 2008	2620	DllCommonsvc.exe	78
PID 2620 wrote to memory of 2008	2620	DllCommonsvc.exe	78
PID 2620 wrote to memory of 2008	2620	DllCommonsvc.exe	78
PID 2620 wrote to memory of 2004	2620	DllCommonsvc.exe	80
PID 2620 wrote to memory of 2004	2620	DllCommonsvc.exe	80
PID 2620 wrote to memory of 2004	2620	DllCommonsvc.exe	80
PID 2620 wrote to memory of 684	2620	DllCommonsvc.exe	81
PID 2620 wrote to memory of 684	2620	DllCommonsvc.exe	81
PID 2620 wrote to memory of 684	2620	DllCommonsvc.exe	81
PID 2620 wrote to memory of 1564	2620	DllCommonsvc.exe	82
PID 2620 wrote to memory of 1564	2620	DllCommonsvc.exe	82
PID 2620 wrote to memory of 1564	2620	DllCommonsvc.exe	82
PID 2620 wrote to memory of 552	2620	DllCommonsvc.exe	83
PID 2620 wrote to memory of 552	2620	DllCommonsvc.exe	83
PID 2620 wrote to memory of 552	2620	DllCommonsvc.exe	83
PID 2620 wrote to memory of 2436	2620	DllCommonsvc.exe	92
PID 2620 wrote to memory of 2436	2620	DllCommonsvc.exe	92
PID 2620 wrote to memory of 2436	2620	DllCommonsvc.exe	92
PID 2436 wrote to memory of 2964	2436	audiodg.exe	93
PID 2436 wrote to memory of 2964	2436	audiodg.exe	93
PID 2436 wrote to memory of 2964	2436	audiodg.exe	93
PID 2964 wrote to memory of 1416	2964	cmd.exe	95
PID 2964 wrote to memory of 1416	2964	cmd.exe	95
PID 2964 wrote to memory of 1416	2964	cmd.exe	95
PID 2964 wrote to memory of 2452	2964	cmd.exe	96
PID 2964 wrote to memory of 2452	2964	cmd.exe	96
PID 2964 wrote to memory of 2452	2964	cmd.exe	96
PID 2452 wrote to memory of 1944	2452	audiodg.exe	97
PID 2452 wrote to memory of 1944	2452	audiodg.exe	97
PID 2452 wrote to memory of 1944	2452	audiodg.exe	97
PID 1944 wrote to memory of 1376	1944	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f2300649f42612f9365430f6892c6558faf0f2d5cd352c46d58417e8ce6efe2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f2300649f42612f9365430f6892c6558faf0f2d5cd352c46d58417e8ce6efe2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
    - - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1416
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1376
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat"
        10⤵
        
        PID:2488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2812
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\80JI9OTYea.bat"
        12⤵
        
        PID:976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2612
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat"
        14⤵
        
        PID:1480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1176
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat"
        16⤵
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2628
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat"
        18⤵
        
        PID:2572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2196
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFE2FgvhS1.bat"
        20⤵
        
        PID:924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1456
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"
        22⤵
        
        PID:2404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2432
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat"
        24⤵
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1304
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\ShellNew\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ShellNew\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d2546910f8236d0486086131c115899

SHA1
729b2783141df40167110622be6528503ad0c23d

SHA256
db4ac8924f38c449df0a335828a556739a85fe18a94cf477273a74f513b4a96f

SHA512
fd2c7c9a5616e85d43446dd2150cae95cced23a2cc7b383025e18a847af3bc120ba29327d49a6dc8541b5b27fd0f528824cc3469bac6fe8815175e5e77d21c31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
770f7574b67ed6d23b55990eab637e63

SHA1
40225bc4818d950d01638e11454951fd33b8b966

SHA256
058b2e3f4ba3ae8ccddb9cd9a6600ff55f71d1c2aa0be6726dd9ec45dc516305

SHA512
8ee6724dfd7db8cc98dc77ea612044d44ac0adfed95ce02b0816b345c31e1bacc967934ecbf3f4197b9082252dc17669c1809e22393369ed56e6543337f46917

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68726ea787cc9a0a0c54934bf23cec4c

SHA1
98a56e16dbecdbe91e0abf8ba923a94f65ffdde0

SHA256
1f013c0f27e68a71b88dd88f6c5faa3eecda992a0ebedf107c28d76269052965

SHA512
65eebd421d74f9055bb10fd71dfd97fce8c601d3f4b9a8e19964427ccd8b9c275db9c481bd8e51ed610cfc1280d0a191c19c1efe8e7972cb4a480e45fd1fe357

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d421df890a756b9d6c0b146ee9388e4

SHA1
07df099d3f29428c484aad8272e7db533f1d22b6

SHA256
f0dd62c9c2e7fede25d826e11571ed3f7a447b6795ebfedf5b543518f8bac5f2

SHA512
545122a4cf0b4c93bb56335403acd306ec4842d6d6dfa94d0f5483f47af57ef2578fc3170e31fc5497dc3af4c76d729f88bbaed6d1656adb158e534188154809

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c05233cd791dd387e718aeb1db19e1a2

SHA1
d16c001dcf89bf48d3db5ef93b777eac4abdef7f

SHA256
b4ad67edf4d7977ea1f4a2eb606a1554e4c49d8ae0d76688e8e82fce5c7a8b0c

SHA512
e20d72af4ef2c1eaafdeff9a25bbe9967887db43538ccba4ce6d2dc90a2b7c63567b52a7771749b9ce85f04ce1f71164f53935060f976b3947ba5b4651c850e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6b4a6553122a6d16475b0416b5fbf1a

SHA1
180366682162c5f96d24a959b92d9e027049949e

SHA256
614166a9a05c049a7ea4e60c17c3b56893fcbd369c741448b4fc570a6ddab00e

SHA512
4548d24ac9a682c853c32c706f32e103184891bb1fc42dc75df53324174c9a981021fe20ce5751c1136fbd7d8c9046c0a4800af5def4e356a02d49f5394fe484

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
399504929f6fa4e5d882b2e08ddb3e76

SHA1
d891c9141cf86234bca541b3e7a8bb957fd606cf

SHA256
6c071b0934f025ea5c6a641902b42439f59c3a794c88c2f6e7f34d6bcd35aa9a

SHA512
b28f1bb14ea794da7472d1959558af7018214ea4a78b39396baffce7444c85ae8c3d0d9d341c8442dcfd1c8910eedc216ef2f9a72ac53edff574f7707bfcb97f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11eda95d6524eb82adcb580e1ab29bca

SHA1
98987d9ee4ddd7425db5ff6a74a963173b715ccc

SHA256
8d0491745f1fe1d1a1817088f5c04f6364540408a36087a33bbc2e09380281d3

SHA512
3697c3ebf0c57c56b4b87d0ec7e4b750a94ee7a24fc3d24af6e15dd207ce9c04211b3d554b832cb45114ffff4e55ebd0aa3ddfc62700578bdb1f831c625c3825

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a223a43e81d77f66c389a5809525b148

SHA1
cf02c50b49a25234c61f46651bdec824ad30deb5

SHA256
0ed8804b6afdb39e92c368021c7f83d9e057ef78403c2c1c45736eb21cac0131

SHA512
acef383c84d89feec13e5043ea7921121b5de5c1f3e78fc3613437ce35ac9f941ecbbeb8dc0a7b0602d50dd70e6988ed291b2a9f570b7b39bb2047d11bbfb7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat

Filesize
225B

MD5
033d907250af19df81a6f6dd09f0221a

SHA1
25789837304cad635ec3fbbaa55444d08a554a7e

SHA256
9dfe54a3cac374dbb22dae07192024665d834ec33dc38edb0ed746f50fa8b2b9

SHA512
793f418cc32b43d74aabb0b8ef508f20e435e56ab6e538cb5319866239a09fe4f78a99beccad4d578822e971d7503f8e16a454e805257ffde82ccd0b58438cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat

Filesize
225B

MD5
a3598190f73383968e1695dbaf18d3a9

SHA1
44250a77309850869bfc500c1433e937f090d37e

SHA256
21aafd5833ab75182708aee935fecf1cdb6ff0753c30a33c4c77bdd624338039

SHA512
0dffce647dc8fb807fa95e04a8e4602b38578192aab7584d49b1cfa7e1bf8a866860e574fe6bf4e32f6e874aae9525af9ae9eb79c89e33e4cb7237367ecd52a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\80JI9OTYea.bat

Filesize
225B

MD5
d39284e9597a7286b67fc87d500ece85

SHA1
1450323281f57432d5375d5a658a6eeaa6fc827e

SHA256
38a819a21aeef5e08de8806d461948a773d942d99de89ddd8ca280401b68da43

SHA512
e792c1e52744e66bc52492f0de2d3c5be3b47cc5798b07dafe2e86b3fea44017ff8845b5a9217254ac304aebe4b15bb6b8d568a522a1443ac35a78a5dde20864

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4E51.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat

Filesize
225B

MD5
a9c9f4ced45498c985c910ce005dff8f

SHA1
0925720c659ab85a338c2ff09966eb476f3dc184

SHA256
b780f9dd7c5cad28c838861c5507b2bd885fc428d24206947852ecea00c56db8

SHA512
71dfa114577ab2bd6517eb3b5e38bc4ec8674f2de198f81a52c09d0581e7cb7fee0de3c1934955816d1eca7a4ed28f1a9e669633a655a335b3f4dbe90b473f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat

Filesize
225B

MD5
499136ad105da05d39cfaf228d469a8e

SHA1
ec82ddc8931734d17b93533d19f453cef90d01f7

SHA256
7d95041e6c18de2039013bd62892ef7fba8a7ed131189d8b5f74e1e240c35b55

SHA512
77e02705dcaee668cab33bd3f117d3f9b56d29adfccea917a13c71a064dbb404a8311a8681b3b72dfb9306e3aaa3288ec8ee3d58e190b6ea5a3e2d6e3c98c325

Download Submit
C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat

Filesize
225B

MD5
0a3df628e0465c0a070f88c78757834d

SHA1
570249a12c3fd81ba28466c01849e2eb2fe9906b

SHA256
0d030cb3257009ecaf122a9dc49973f3b03dab88963ed79c92a9830621912624

SHA512
2e28503a134619a3ff1921ecbd35de05b328a942d8efbe0cc9bc489e605fa5b9b5f5ac6c1fc009f7dfb98893c3af65ee81926169f6947e22d984983409f61491

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4E54.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat

Filesize
225B

MD5
aeae634fe39471a8eb92f25ded991464

SHA1
6bdc4a2b7dc6fe19a732d6b3a4768d159836ad82

SHA256
b42beac67498539ebe2ae545b6162bb5ace708947c50ae8d8f686cbc983cc662

SHA512
514a0d8cdf31d47eb7fd9d2df61f8aef6e664b9a94c65785a933436ecfe20664a807631e970dfab6b60224a6467d2b2a43915e4af91a7e1c3e5998be4511e5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat

Filesize
225B

MD5
e0136b52e408c320b75ef9da0f3e8aea

SHA1
96a0bddcfef9cdfd17ba10ea1ebf86e1c10de09f

SHA256
91b0344e218b7db26ef393a5c62f9805dbfd2dd4ae4e4a07ecbf9f562cfd0ca9

SHA512
26268bd6fc45d499178f5f027c0c2075be4003fca0c0dc0e090efcd0f969d7aca06cf863946ceb4d456552a48cdf8b825dfb7adb4b9b3cb29946c49056808e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\pFE2FgvhS1.bat

Filesize
225B

MD5
3a58f59a668b170a3a070e5f6951a658

SHA1
cc7b15dce98e4221cba9d33db7b18c8eef672c2d

SHA256
6df89f2dc43263ac430c2e80bf59dd34bac0655abc6b10543a83063a9727db7c

SHA512
22a601d3bf3ffe2fd2b0d1ce9cc4185c8f02a6d66d34c36a011869994f34b59e27575866edcca2d8f5fee6b1514df226e05b0ec46c3733917211f60309bdb0ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat

Filesize
225B

MD5
eca67b254221781b458bda0f06794cd4

SHA1
06eef280743e35702a84dcb97536974e3cc83807

SHA256
c02371c282507602c57a8a3d46023f589d822f33ab048e775530e8b0c1a7d747

SHA512
9352c54f5ce9acd884433f80545f56f1d505976514870dbe4e871ef4fc6d2d88115a476a5ab46f6f6913a3a4095852e188f685d73ab5f80208276ba4baf5ae23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b03cc179f0e0e23442ab031c9e0c8770

SHA1
fb3610bad5e0ec77b6e7882c03f51c638b910e42

SHA256
1d9718815c0f257f7d71d08b7776ce6111358a4a81664b8deefad08b66efbc03

SHA512
03e48982d30610892c352fcaac04eeca8b552147b25b07666c94d28912cb4b7358fbd3d3d549a2b19c154c2aaa8f4d0b29924d05fb639a45eeac95eca952f13f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1128-452-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/1552-332-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1848-47-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/1848-46-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1864-571-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/1964-631-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/1992-691-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/2436-59-0x0000000001250000-0x0000000001360000-memory.dmp

Filesize
1.1MB

Download
memory/2452-154-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/2620-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2620-16-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2620-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2620-14-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2620-13-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/2816-392-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download