dcrat | 868307890b20e968001a71414af1c7381d3aa36ca4269523f446329b5e12da2f

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_868307890b20e968001a71414af1c7381d3aa36ca4269523f446329b5e12da2f.exe
Size

1.3MB
MD5

8e754433ab5b51d813b34da6702afe47
SHA1

348feab800612bd13f4f5364f803b767725d40e7
SHA256

868307890b20e968001a71414af1c7381d3aa36ca4269523f446329b5e12da2f
SHA512

121be026d904eeef41c8ff321d665e891f59edd60fbc36c223131a57b029439d2126882dc578831a1d9210992e349a2dc774b9539c6e5049c3e46e8d895e83ad
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	3020	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c23-12.dat	dcrat
behavioral1/memory/2884-13-0x0000000000890000-0x00000000009A0000-memory.dmp	dcrat
behavioral1/memory/2492-50-0x0000000000880000-0x0000000000990000-memory.dmp	dcrat
behavioral1/memory/1288-180-0x0000000000980000-0x0000000000A90000-memory.dmp	dcrat
behavioral1/memory/676-240-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/2040-300-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/1780-480-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/688-541-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/2296-660-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2452	powershell.exe
1476	powershell.exe
3028	powershell.exe
836	powershell.exe
2204	powershell.exe
2184	powershell.exe
1012	powershell.exe
2092	powershell.exe
1820	powershell.exe
2360	powershell.exe
2216	powershell.exe
2524	powershell.exe
2488	powershell.exe
3048	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2884	DllCommonsvc.exe
2492	conhost.exe
1288	conhost.exe
676	conhost.exe
2040	conhost.exe
1972	conhost.exe
1232	conhost.exe
1780	conhost.exe
688	conhost.exe
2424	conhost.exe
2296	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2748	cmd.exe
2748	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\ja-JP\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\ja-JP\24dbde2999530e	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\smss.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_868307890b20e968001a71414af1c7381d3aa36ca4269523f446329b5e12da2f.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1904	schtasks.exe
2376	schtasks.exe
2976	schtasks.exe
1984	schtasks.exe
1972	schtasks.exe
1628	schtasks.exe
1632	schtasks.exe
1800	schtasks.exe
2600	schtasks.exe
1648	schtasks.exe
832	schtasks.exe
1728	schtasks.exe
1736	schtasks.exe
2420	schtasks.exe
1612	schtasks.exe
3008	schtasks.exe
1352	schtasks.exe
2992	schtasks.exe
1288	schtasks.exe
2248	schtasks.exe
928	schtasks.exe
1804	schtasks.exe
2416	schtasks.exe
2692	schtasks.exe
1780	schtasks.exe
1056	schtasks.exe
2624	schtasks.exe
1580	schtasks.exe
2828	schtasks.exe
1076	schtasks.exe
676	schtasks.exe
572	schtasks.exe
2756	schtasks.exe
1152	schtasks.exe
1176	schtasks.exe
1464	schtasks.exe
2572	schtasks.exe
2176	schtasks.exe
1212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2884	DllCommonsvc.exe
2884	DllCommonsvc.exe
2884	DllCommonsvc.exe
2452	powershell.exe
2488	powershell.exe
3028	powershell.exe
1820	powershell.exe
1476	powershell.exe
2524	powershell.exe
836	powershell.exe
2204	powershell.exe
2184	powershell.exe
2360	powershell.exe
2092	powershell.exe
2216	powershell.exe
3048	powershell.exe
1012	powershell.exe
2492	conhost.exe
1288	conhost.exe
676	conhost.exe
2040	conhost.exe
1972	conhost.exe
1232	conhost.exe
1780	conhost.exe
688	conhost.exe
2424	conhost.exe
2296	conhost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	DllCommonsvc.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2492	conhost.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1288	conhost.exe
Token: SeDebugPrivilege	676	conhost.exe
Token: SeDebugPrivilege	2040	conhost.exe
Token: SeDebugPrivilege	1972	conhost.exe
Token: SeDebugPrivilege	1232	conhost.exe
Token: SeDebugPrivilege	1780	conhost.exe
Token: SeDebugPrivilege	688	conhost.exe
Token: SeDebugPrivilege	2424	conhost.exe
Token: SeDebugPrivilege	2296	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 1516	2280	JaffaCakes118_868307890b20e968001a71414af1c7381d3aa36ca4269523f446329b5e12da2f.exe	31
PID 2280 wrote to memory of 1516	2280	JaffaCakes118_868307890b20e968001a71414af1c7381d3aa36ca4269523f446329b5e12da2f.exe	31
PID 2280 wrote to memory of 1516	2280	JaffaCakes118_868307890b20e968001a71414af1c7381d3aa36ca4269523f446329b5e12da2f.exe	31
PID 2280 wrote to memory of 1516	2280	JaffaCakes118_868307890b20e968001a71414af1c7381d3aa36ca4269523f446329b5e12da2f.exe	31
PID 1516 wrote to memory of 2748	1516	WScript.exe	32
PID 1516 wrote to memory of 2748	1516	WScript.exe	32
PID 1516 wrote to memory of 2748	1516	WScript.exe	32
PID 1516 wrote to memory of 2748	1516	WScript.exe	32
PID 2748 wrote to memory of 2884	2748	cmd.exe	34
PID 2748 wrote to memory of 2884	2748	cmd.exe	34
PID 2748 wrote to memory of 2884	2748	cmd.exe	34
PID 2748 wrote to memory of 2884	2748	cmd.exe	34
PID 2884 wrote to memory of 2360	2884	DllCommonsvc.exe	75
PID 2884 wrote to memory of 2360	2884	DllCommonsvc.exe	75
PID 2884 wrote to memory of 2360	2884	DllCommonsvc.exe	75
PID 2884 wrote to memory of 2092	2884	DllCommonsvc.exe	76
PID 2884 wrote to memory of 2092	2884	DllCommonsvc.exe	76
PID 2884 wrote to memory of 2092	2884	DllCommonsvc.exe	76
PID 2884 wrote to memory of 3028	2884	DllCommonsvc.exe	77
PID 2884 wrote to memory of 3028	2884	DllCommonsvc.exe	77
PID 2884 wrote to memory of 3028	2884	DllCommonsvc.exe	77
PID 2884 wrote to memory of 2488	2884	DllCommonsvc.exe	78
PID 2884 wrote to memory of 2488	2884	DllCommonsvc.exe	78
PID 2884 wrote to memory of 2488	2884	DllCommonsvc.exe	78
PID 2884 wrote to memory of 2184	2884	DllCommonsvc.exe	79
PID 2884 wrote to memory of 2184	2884	DllCommonsvc.exe	79
PID 2884 wrote to memory of 2184	2884	DllCommonsvc.exe	79
PID 2884 wrote to memory of 836	2884	DllCommonsvc.exe	80
PID 2884 wrote to memory of 836	2884	DllCommonsvc.exe	80
PID 2884 wrote to memory of 836	2884	DllCommonsvc.exe	80
PID 2884 wrote to memory of 1820	2884	DllCommonsvc.exe	82
PID 2884 wrote to memory of 1820	2884	DllCommonsvc.exe	82
PID 2884 wrote to memory of 1820	2884	DllCommonsvc.exe	82
PID 2884 wrote to memory of 2204	2884	DllCommonsvc.exe	83
PID 2884 wrote to memory of 2204	2884	DllCommonsvc.exe	83
PID 2884 wrote to memory of 2204	2884	DllCommonsvc.exe	83
PID 2884 wrote to memory of 2216	2884	DllCommonsvc.exe	85
PID 2884 wrote to memory of 2216	2884	DllCommonsvc.exe	85
PID 2884 wrote to memory of 2216	2884	DllCommonsvc.exe	85
PID 2884 wrote to memory of 2452	2884	DllCommonsvc.exe	86
PID 2884 wrote to memory of 2452	2884	DllCommonsvc.exe	86
PID 2884 wrote to memory of 2452	2884	DllCommonsvc.exe	86
PID 2884 wrote to memory of 1012	2884	DllCommonsvc.exe	87
PID 2884 wrote to memory of 1012	2884	DllCommonsvc.exe	87
PID 2884 wrote to memory of 1012	2884	DllCommonsvc.exe	87
PID 2884 wrote to memory of 1476	2884	DllCommonsvc.exe	88
PID 2884 wrote to memory of 1476	2884	DllCommonsvc.exe	88
PID 2884 wrote to memory of 1476	2884	DllCommonsvc.exe	88
PID 2884 wrote to memory of 3048	2884	DllCommonsvc.exe	89
PID 2884 wrote to memory of 3048	2884	DllCommonsvc.exe	89
PID 2884 wrote to memory of 3048	2884	DllCommonsvc.exe	89
PID 2884 wrote to memory of 2524	2884	DllCommonsvc.exe	90
PID 2884 wrote to memory of 2524	2884	DllCommonsvc.exe	90
PID 2884 wrote to memory of 2524	2884	DllCommonsvc.exe	90
PID 2884 wrote to memory of 2492	2884	DllCommonsvc.exe	103
PID 2884 wrote to memory of 2492	2884	DllCommonsvc.exe	103
PID 2884 wrote to memory of 2492	2884	DllCommonsvc.exe	103
PID 2492 wrote to memory of 688	2492	conhost.exe	104
PID 2492 wrote to memory of 688	2492	conhost.exe	104
PID 2492 wrote to memory of 688	2492	conhost.exe	104
PID 688 wrote to memory of 2248	688	cmd.exe	106
PID 688 wrote to memory of 2248	688	cmd.exe	106
PID 688 wrote to memory of 2248	688	cmd.exe	106
PID 688 wrote to memory of 1288	688	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_868307890b20e968001a71414af1c7381d3aa36ca4269523f446329b5e12da2f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_868307890b20e968001a71414af1c7381d3aa36ca4269523f446329b5e12da2f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\ja-JP\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
    - - C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2248
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
        8⤵
        
        PID:1632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2384
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiBdOqTAMf.bat"
        10⤵
        
        PID:1348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1060
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"
        12⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2780
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat"
        14⤵
        
        PID:2728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2656
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"
        16⤵
        
        PID:2808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2592
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat"
        18⤵
        
        PID:1704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2248
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat"
        20⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2984
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat"
        22⤵
        
        PID:2556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:856
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\ja-JP\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Microsoft Shared\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Tasks\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c2541e4953643332bf511009a124b29

SHA1
eecb73aa754f37df32fb031271d0ed3c4e17bcd9

SHA256
6f037e3bd9627ebb86570e2399c5838cdb4946d275d98ae9fb57c84e2e1abd47

SHA512
b3e8d997211d9bfcc5087cf3f5a61fc9e910c18f3b5f862ddbc233853c74509c547a62f46e8ffdc1fe383cff056995040e34df9ff39bf709969bd04f79a5e436

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d043acead59ad2f37b9814b05848f40

SHA1
2c535eaa1b933e87f02d6b9cf06af662c5dec53c

SHA256
1042ae438619114e7c3e32a48e541d2c7995edbffd3574fd9793adfe71af963b

SHA512
d9f8d4b74d14280a0161df47a8857c16a2d51ae71940aa140993ab04562625cebcefe4e1204e3703646570c3cedc5f80ab52456930354636cfa138b5dd483fb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1aa0dda8e08b3f7203864d56093a315

SHA1
354e2d34f5d4eaacfea5e24629903579ab049665

SHA256
01dba14f2c893a675adaab9149dd12ec1d534d8f38d512f45c037878f0442feb

SHA512
71ed0bd15b133c0486b8d6cb54399667b59871f78ba88c2aa0a6bfd9b633d9160677c68cc3cf0eb7558723c460f2a85407f0875c0b7362ba8cf2c256c868ae37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
257bfa2bf8f92d8b7624afb0e52c1ee5

SHA1
3f7459993e7fb63cea6083089cbdf232c8ec7162

SHA256
ea9c6eb22a32626605242600b5bcb432e695ae3472a00cae9322da41edb05d1b

SHA512
dc6acf10411ea723172b5f37c9188b815ffaa0d21e08a28a740e24644cda8cd1f1863bcf384be6fff58b18726ce4804f091a2e62bba31dac6b7f26fb93d3e19b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19d4b10208daa9f1054170bdb52200ca

SHA1
ed34a5418f18f3eb895c15e76ea05c9c3e7255b9

SHA256
dc4236de377f1c6285c1ecb61e55d651af8659cd4ca36f8da332eba0ff427903

SHA512
81fe8b24f84a7abb2e78320cef4048a6156bedd5c22978707d716e5416c119b622a2c5e72abe5fdf87ac3d45550214f5b2378dde4ff5617be25637597b8343df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9d6754c9f091c8ba86b3869c148852a

SHA1
a76a45cd06f39ccc4d0b2f3384876f791f0c4c3b

SHA256
138b32e927e73bcfbcb524457708d88e18f079b199b3e890255056bc5774d8fe

SHA512
db28e05bb5bdf5a49f810e17d45ecc30becf9d86d55ee4bb24617e7fd0a08ea7649733f12e83b9b048a7856c401582a5b1f15e179c8ea606a1fc6411c7de8f7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e18a337533ef216288edc5e816bac066

SHA1
1131346b74f231feb52968bcc4d5e1d60b076c1a

SHA256
f13a3c344e935ebc2a48aa8a723b75d773d54de730705202144bade017ac904f

SHA512
bf4d07f52f13f3ea936a7c8ed002da9afc52ecb03fcbc8f7b85d17c4177eaea674f0a23344b5ed6ec5b6ae80b2002d7584e31977dcea6f0813e9fffaec17ec6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2a14a3972c6c516ed2400078b0958b8

SHA1
b0d32519c2c9d1a8d90f451985e87d65de7ef0f4

SHA256
2a2d182d9691392dfcb7cf1eb4dadcd3f78747785bf5f01694dfbd47280cf297

SHA512
295126a6b71fb7b6e56cac3be26388e2a8be3d8c856c4c52f0d05a672ec18899b85c2c9b772006ba0725aae649ad2e833d5fda01f2b8375aca6b70be60a5849a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat

Filesize
194B

MD5
c0b759342083f3b22f46bd13571879e0

SHA1
7f952c3e27166f24251852d103ecd15bf99f7dc5

SHA256
5348f7674f2647bd2b040c13e7de64828267c868651a4d209035552953e48914

SHA512
963e6a6d82bfc7e3965c427d23fb4793b48ef3fcaf1f70213c8182b67bed59241c5ba510eb6c5b8e2b8cc4c23ef3cba3e7c531e46ca584b4c2dc1d7d10b9694c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab29C1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat

Filesize
194B

MD5
bb2e98272234f1c52bd9ff6780e06135

SHA1
7b02b401d367c93b0eef58c8b8fe37b1c6723f36

SHA256
abe4efe8bd6ea0039535d59c34490ef9b27f93f234be9af051ad1a1195a683db

SHA512
ad654941a4992266f4f693ce2bdef525aded38bff32f5617bb5e7fa127cf7d5f78fff36a7f8a3e48a5e1f0e76ffaab268bb35def03af5419c571d378ac8a5c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat

Filesize
194B

MD5
b1a35df847491e17b7523d3f1d076f3b

SHA1
d21ac3facf291781d73a4a230a4ae272a229c977

SHA256
6b1c751fb4f35de22554b651937d948cb5a0e45900e1bcafb0a75e243858b7e0

SHA512
b6f8c03fa69526082e34ab0589f3d5fcfc8e89ffe6acd373345f52cf7629dfe922f3a975f80de043543e546efee3147322703e434a6f9d3b156d08742e7c7f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat

Filesize
194B

MD5
05efeb65ae65ddc2abb6c231cb838432

SHA1
e3116198f10da95b2ea1e7407c007c9fff63f2c2

SHA256
97e2d91cca8a979eaff3543ec91e60c2aa59792d50a141058122aab511c4b318

SHA512
effca5adeeeac5a1f45e794fcfd8ddf84d954923a086ef3cc155f57f6b246e6516dc490cfec1c556eee11cc0437fca0a7a62d151643da9da30083f1f3a161519

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2ABD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat

Filesize
194B

MD5
bdb0f939ae648190bf12d7c5251a8d9a

SHA1
17e7db49a4b02991f7cd2ae534dc714fc4be213c

SHA256
d9ae5d560f8df7b63433810ba08616870a6939bf9a14b72fcc657fd59e591d36

SHA512
e6fe2ecd0413e51f18e08104b0520fba335880024e43e27f4269ef7a7e2cfeddb0b74a41ba0001f31adc75bb1bca810fb6a5605cbb54a4f5fb54aaf9ec078606

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat

Filesize
194B

MD5
8e03d4af520d9b2153fa2d520f4cc690

SHA1
4f954e6bd195b4cc1d9f0f3d6ce538433cc3d203

SHA256
3163e65a3fe1ea90b717c900d3c798c46b2d8cba3c1c91059eb8008c579c9d2f

SHA512
901db25d39d251fcdb53c1c29fddb10b5c9d1e824bffc4d8febfe84eec16a131ad32b9ea5e106fb52ba89f8ac32ea525283ee1cb535f0c9615d9b1f24a2056ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat

Filesize
194B

MD5
eac6d2dea2948f3b8185cc3bedf4ef5a

SHA1
c8101b631773c12080a112a5007ed792af2cc2e9

SHA256
a528f51cbd298fe9e94194d72627d3b9023a79ffecff04633c6011074e72f0a8

SHA512
a0811a434ce516a522e216887d456214093e5a49ef1bbb108549687128bb912942c88a03053b2c6caebf07b049e80d6c1ebafba68d83b7ab85adc2bbf6cff7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat

Filesize
194B

MD5
693029f4066c447d01204d5f09e9d8cc

SHA1
0c489da5895a63638082093a3eff673884a531b7

SHA256
5fc4f846ecb147c732fd146a975bff265992238fd200c2feb15e02a2cfac93f5

SHA512
5b6796b932207c3416d3a07baf2f8ae53036b922a49440d4d4bede174e9d89f2970c1f2d3e4f3fc67614025d6c0e3a7df74c291aff94bd88f72673102304ee25

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiBdOqTAMf.bat

Filesize
194B

MD5
ce9b97e0984753671c22f04bb6e87418

SHA1
2205c56c2581adb7fde1866d3a72526fc5d21bf6

SHA256
683434de434da1f630f91c273378edbd8269b74b02471c9ff304926ab8c7fae7

SHA512
23a203b90ba93721bcbb74eb534af18075fcf64f0a28433b8c15e584a1bc0058b33d9884149faeb28ec6c92e2ed1d25428cdc49c4086737278d9d58573a15b2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7869f9578f53a533da826feb470f5a8e

SHA1
5fe69a231425385b59715c49541fca1199b2820a

SHA256
9c4b52bd0fd3891b2e88d866dae946931b7de2a840e20bb5e3cfa5912c9ec238

SHA512
8f3693cb26b6565d7bfc87b8c61564c110a1b8fb8cc7f8c3472f06dcb4f86c8fdbbde9233990afa675cf2e6306105883794ecd383cd26aae3681d507b00e63c0

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/676-240-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/688-541-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/1232-420-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1288-180-0x0000000000980000-0x0000000000A90000-memory.dmp

Filesize
1.1MB

Download
memory/1780-480-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/1780-481-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/1820-80-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/1972-360-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2040-300-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2296-660-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/2492-50-0x0000000000880000-0x0000000000990000-memory.dmp

Filesize
1.1MB

Download
memory/2884-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2884-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2884-15-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2884-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2884-13-0x0000000000890000-0x00000000009A0000-memory.dmp

Filesize
1.1MB

Download
memory/3028-111-0x00000000024D0000-0x00000000024D8000-memory.dmp

Filesize
32KB

Download