dcrat | 656ee1187cec2f72afcc5c3e819076d30fdb8a1884ed28604e88f9d2c212e0a7

Analysis

max time kernel
148s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_656ee1187cec2f72afcc5c3e819076d30fdb8a1884ed28604e88f9d2c212e0a7.exe
Size

1.3MB
MD5

7780b0582aca022714bf8f148b7824a9
SHA1

7855e36ebd503c11e6f3c274c6b99c79ff4f7cfa
SHA256

656ee1187cec2f72afcc5c3e819076d30fdb8a1884ed28604e88f9d2c212e0a7
SHA512

7b4c30964589c55288b111586758f799dcdfb2e94931d5de37cb3b1bfa6a94f2ba266417c53e5a9e05231498a89a376d5ac64e959afbbc87dd88e274985c9a55
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2772	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000019496-9.dat	dcrat
behavioral1/memory/2704-13-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/2260-48-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/2904-173-0x0000000001210000-0x0000000001320000-memory.dmp	dcrat
behavioral1/memory/1572-531-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/memory/2344-591-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/1972-652-0x0000000000A40000-0x0000000000B50000-memory.dmp	dcrat
behavioral1/memory/2584-712-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2368	powershell.exe
2036	powershell.exe
3032	powershell.exe
992	powershell.exe
2540	powershell.exe
2392	powershell.exe
1864	powershell.exe
2112	powershell.exe
2240	powershell.exe
3012	powershell.exe
2176	powershell.exe
1596	powershell.exe
1000	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2704	DllCommonsvc.exe
2260	audiodg.exe
2904	audiodg.exe
2336	audiodg.exe
568	audiodg.exe
1208	audiodg.exe
2668	audiodg.exe
3016	audiodg.exe
1572	audiodg.exe
2344	audiodg.exe
1972	audiodg.exe
2584	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2652	cmd.exe
2652	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
37	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
20	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\it-IT\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Solitaire\es-ES\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Solitaire\es-ES\6ccacd8608530f	DllCommonsvc.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\ehome\it-IT\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\ehome\it-IT\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\Cursors\services.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\it-IT\System.exe	DllCommonsvc.exe
File created	C:\Windows\AppPatch\fr-FR\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\it-IT\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\AppPatch\fr-FR\services.exe	DllCommonsvc.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\7a0fd90576e088	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_656ee1187cec2f72afcc5c3e819076d30fdb8a1884ed28604e88f9d2c212e0a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1876	schtasks.exe
624	schtasks.exe
2616	schtasks.exe
2872	schtasks.exe
2896	schtasks.exe
1404	schtasks.exe
848	schtasks.exe
2440	schtasks.exe
1192	schtasks.exe
2620	schtasks.exe
2052	schtasks.exe
112	schtasks.exe
1964	schtasks.exe
2808	schtasks.exe
2552	schtasks.exe
1156	schtasks.exe
1220	schtasks.exe
1504	schtasks.exe
1056	schtasks.exe
2028	schtasks.exe
1784	schtasks.exe
684	schtasks.exe
836	schtasks.exe
2492	schtasks.exe
408	schtasks.exe
1500	schtasks.exe
2584	schtasks.exe
2732	schtasks.exe
1508	schtasks.exe
2016	schtasks.exe
3024	schtasks.exe
1756	schtasks.exe
1592	schtasks.exe
344	schtasks.exe
1644	schtasks.exe
2884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2704	DllCommonsvc.exe
2704	DllCommonsvc.exe
2704	DllCommonsvc.exe
2540	powershell.exe
2112	powershell.exe
3032	powershell.exe
3012	powershell.exe
1864	powershell.exe
2392	powershell.exe
2260	audiodg.exe
2036	powershell.exe
1000	powershell.exe
1596	powershell.exe
2176	powershell.exe
992	powershell.exe
2240	powershell.exe
2368	powershell.exe
2904	audiodg.exe
2336	audiodg.exe
568	audiodg.exe
1208	audiodg.exe
2668	audiodg.exe
3016	audiodg.exe
1572	audiodg.exe
2344	audiodg.exe
1972	audiodg.exe
2584	audiodg.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	DllCommonsvc.exe
Token: SeDebugPrivilege	2260	audiodg.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2904	audiodg.exe
Token: SeDebugPrivilege	2336	audiodg.exe
Token: SeDebugPrivilege	568	audiodg.exe
Token: SeDebugPrivilege	1208	audiodg.exe
Token: SeDebugPrivilege	2668	audiodg.exe
Token: SeDebugPrivilege	3016	audiodg.exe
Token: SeDebugPrivilege	1572	audiodg.exe
Token: SeDebugPrivilege	2344	audiodg.exe
Token: SeDebugPrivilege	1972	audiodg.exe
Token: SeDebugPrivilege	2584	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 604	2096	JaffaCakes118_656ee1187cec2f72afcc5c3e819076d30fdb8a1884ed28604e88f9d2c212e0a7.exe	31
PID 2096 wrote to memory of 604	2096	JaffaCakes118_656ee1187cec2f72afcc5c3e819076d30fdb8a1884ed28604e88f9d2c212e0a7.exe	31
PID 2096 wrote to memory of 604	2096	JaffaCakes118_656ee1187cec2f72afcc5c3e819076d30fdb8a1884ed28604e88f9d2c212e0a7.exe	31
PID 2096 wrote to memory of 604	2096	JaffaCakes118_656ee1187cec2f72afcc5c3e819076d30fdb8a1884ed28604e88f9d2c212e0a7.exe	31
PID 604 wrote to memory of 2652	604	WScript.exe	32
PID 604 wrote to memory of 2652	604	WScript.exe	32
PID 604 wrote to memory of 2652	604	WScript.exe	32
PID 604 wrote to memory of 2652	604	WScript.exe	32
PID 2652 wrote to memory of 2704	2652	cmd.exe	34
PID 2652 wrote to memory of 2704	2652	cmd.exe	34
PID 2652 wrote to memory of 2704	2652	cmd.exe	34
PID 2652 wrote to memory of 2704	2652	cmd.exe	34
PID 2704 wrote to memory of 2392	2704	DllCommonsvc.exe	72
PID 2704 wrote to memory of 2392	2704	DllCommonsvc.exe	72
PID 2704 wrote to memory of 2392	2704	DllCommonsvc.exe	72
PID 2704 wrote to memory of 1864	2704	DllCommonsvc.exe	73
PID 2704 wrote to memory of 1864	2704	DllCommonsvc.exe	73
PID 2704 wrote to memory of 1864	2704	DllCommonsvc.exe	73
PID 2704 wrote to memory of 1000	2704	DllCommonsvc.exe	74
PID 2704 wrote to memory of 1000	2704	DllCommonsvc.exe	74
PID 2704 wrote to memory of 1000	2704	DllCommonsvc.exe	74
PID 2704 wrote to memory of 2540	2704	DllCommonsvc.exe	75
PID 2704 wrote to memory of 2540	2704	DllCommonsvc.exe	75
PID 2704 wrote to memory of 2540	2704	DllCommonsvc.exe	75
PID 2704 wrote to memory of 992	2704	DllCommonsvc.exe	76
PID 2704 wrote to memory of 992	2704	DllCommonsvc.exe	76
PID 2704 wrote to memory of 992	2704	DllCommonsvc.exe	76
PID 2704 wrote to memory of 2112	2704	DllCommonsvc.exe	79
PID 2704 wrote to memory of 2112	2704	DllCommonsvc.exe	79
PID 2704 wrote to memory of 2112	2704	DllCommonsvc.exe	79
PID 2704 wrote to memory of 1596	2704	DllCommonsvc.exe	80
PID 2704 wrote to memory of 1596	2704	DllCommonsvc.exe	80
PID 2704 wrote to memory of 1596	2704	DllCommonsvc.exe	80
PID 2704 wrote to memory of 2176	2704	DllCommonsvc.exe	81
PID 2704 wrote to memory of 2176	2704	DllCommonsvc.exe	81
PID 2704 wrote to memory of 2176	2704	DllCommonsvc.exe	81
PID 2704 wrote to memory of 3012	2704	DllCommonsvc.exe	82
PID 2704 wrote to memory of 3012	2704	DllCommonsvc.exe	82
PID 2704 wrote to memory of 3012	2704	DllCommonsvc.exe	82
PID 2704 wrote to memory of 3032	2704	DllCommonsvc.exe	83
PID 2704 wrote to memory of 3032	2704	DllCommonsvc.exe	83
PID 2704 wrote to memory of 3032	2704	DllCommonsvc.exe	83
PID 2704 wrote to memory of 2240	2704	DllCommonsvc.exe	85
PID 2704 wrote to memory of 2240	2704	DllCommonsvc.exe	85
PID 2704 wrote to memory of 2240	2704	DllCommonsvc.exe	85
PID 2704 wrote to memory of 2036	2704	DllCommonsvc.exe	86
PID 2704 wrote to memory of 2036	2704	DllCommonsvc.exe	86
PID 2704 wrote to memory of 2036	2704	DllCommonsvc.exe	86
PID 2704 wrote to memory of 2368	2704	DllCommonsvc.exe	87
PID 2704 wrote to memory of 2368	2704	DllCommonsvc.exe	87
PID 2704 wrote to memory of 2368	2704	DllCommonsvc.exe	87
PID 2704 wrote to memory of 2260	2704	DllCommonsvc.exe	98
PID 2704 wrote to memory of 2260	2704	DllCommonsvc.exe	98
PID 2704 wrote to memory of 2260	2704	DllCommonsvc.exe	98
PID 2260 wrote to memory of 1400	2260	audiodg.exe	99
PID 2260 wrote to memory of 1400	2260	audiodg.exe	99
PID 2260 wrote to memory of 1400	2260	audiodg.exe	99
PID 1400 wrote to memory of 3064	1400	cmd.exe	101
PID 1400 wrote to memory of 3064	1400	cmd.exe	101
PID 1400 wrote to memory of 3064	1400	cmd.exe	101
PID 1400 wrote to memory of 2904	1400	cmd.exe	102
PID 1400 wrote to memory of 2904	1400	cmd.exe	102
PID 1400 wrote to memory of 2904	1400	cmd.exe	102
PID 2904 wrote to memory of 2268	2904	audiodg.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_656ee1187cec2f72afcc5c3e819076d30fdb8a1884ed28604e88f9d2c212e0a7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_656ee1187cec2f72afcc5c3e819076d30fdb8a1884ed28604e88f9d2c212e0a7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\en-US\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\it-IT\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Solitaire\es-ES\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\fr-FR\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
    - - C:\Users\All Users\audiodg.exe
        
        "C:\Users\All Users\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3064
        
        C:\Users\All Users\audiodg.exe
        
        "C:\Users\All Users\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat"
        8⤵
        
        PID:2268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2384
        
        C:\Users\All Users\audiodg.exe
        
        "C:\Users\All Users\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat"
        10⤵
        
        PID:1000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3048
        
        C:\Users\All Users\audiodg.exe
        
        "C:\Users\All Users\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat"
        12⤵
        
        PID:2944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2256
        
        C:\Users\All Users\audiodg.exe
        
        "C:\Users\All Users\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat"
        14⤵
        
        PID:2192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1892
        
        C:\Users\All Users\audiodg.exe
        
        "C:\Users\All Users\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"
        16⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2376
        
        C:\Users\All Users\audiodg.exe
        
        "C:\Users\All Users\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat"
        18⤵
        
        PID:2516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1264
        
        C:\Users\All Users\audiodg.exe
        
        "C:\Users\All Users\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"
        20⤵
        
        PID:1752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1192
        
        C:\Users\All Users\audiodg.exe
        
        "C:\Users\All Users\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"
        22⤵
        
        PID:2852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2664
        
        C:\Users\All Users\audiodg.exe
        
        "C:\Users\All Users\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"
        24⤵
        
        PID:1244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2876
        
        C:\Users\All Users\audiodg.exe
        
        "C:\Users\All Users\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ehome\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\ehome\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Cursors\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Solitaire\es-ES\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Solitaire\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Solitaire\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\fr-FR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\AppPatch\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71add40a5d34bf3aa7d0ec7319e7fad3

SHA1
4cecfa1034c8cb22fecf1191706ae1469f478367

SHA256
26aeae1721b38ffef3ca77d28ade14c34d61733c431a5ac6ad4a79be3e942835

SHA512
f1df0bd6a153f50da62529bc4d71ff1936a81834c3f4cf8e7c6507f63e8f701d6e961126fd466c3574782a6832fe7d4a691ed6420a21058b2985e36f6c459bac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44d22f06b0424fc27f12f58abf015d0d

SHA1
46ac0fa1ae6b76bb08b80862cbb321a8dfc0c5ba

SHA256
3cbffd6541805252c9895ce19f644def3d625469866bb915c07a76c52378ec1b

SHA512
4a78096a8e7e9bd078418aaf42960f82534379a0555543abfe702752a8eb6bd08136862ce1c21f24db2b6f512fc1408c7910f87f7796341a07856618716844aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5513ec9fc0024756283a64d550ef6556

SHA1
fc6c1d64323896fffa474ca67e1dc8447a2dec1a

SHA256
68c68f5c7f6e708bb7a3ea62df4fc68267e34bf56ca243394bc2993133f13221

SHA512
66947c3a6ecf3a3f25c661d6baecfa75fc55fd470169c957913fadd284c5a753fe70241521b0785f4c575a0ac43ca5654a6f4526f9996fabdf891682d88ab617

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2ece56d0e379f9f4060322427aacf1c

SHA1
88f0aabc0fc7061c0202e5128c10cb6e574d723f

SHA256
97a40cbcd401e163659f98168b2d4789a70e517e7c04a70d55b03aeefca55110

SHA512
5cb6ce9206b29602f0167fa417bafc1697ad892da88b8d3305517b83f694995da5f90a89a935da959b0ccb8a8d82013beccc42aefc09670d25f47e667ab7b8c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e1b597e1bda76969d6bcf8f8981e983

SHA1
74848cb596d3552147a32e1d09563a3c2130fa18

SHA256
58415c8a604d5ca7cbc8dcc2b1451c9e3ebc56af6d8500485262ef0b9b20b757

SHA512
de9483a0702bc2acd37e095b5d62ee8d53959f8008605f7233abf5fde52f5895f266742f44fe2b9b6efecca979f0aeec335d0835b922b02920dc5b686f144b75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53d164c9ce09c6b78e8761cb3e4a8b1a

SHA1
99af8c069b9a4f89256325c4946e993caa07be9f

SHA256
c97e16094b7ec7fe23943d78e23ca892ee2e104009ef53d106c4aa6b3437be23

SHA512
e59f42a30838969f73657393b6733964d9b3be9a8c2af0bb01571b6bfe542fd3ecf923ef36bad2702e42d76fc65aaa0c482b9f2201bc92b8774d1a4e8737174e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb5a48600bcfdeaef99b84607369715b

SHA1
1e90315a9c24a3f6a9dd27bb15bae9496aeaa3f8

SHA256
f36382b994492b5a2c11601e0c84cae9fe8b72e1e2fc9b2044a9a7ddd82916a5

SHA512
b782051dacb877099e9f07ccdaf39e081cf4cd1149905870051c759c179fda877f5a92a25bc7369d4d43e7f8a5fb60092209061e55eab03795a2513a0b05dd44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86b6ae86462edf5c68d17be2ad6afaaf

SHA1
c0da8ffc7959ff5636fbc77b84b255e36b51fbd2

SHA256
0b852a21a7036f7d3c1da314e0b221ffee8c1f4e9f1b66f8831212b998421791

SHA512
9b445c58b519c3c3611769afaa98f1d67711aec375cbccec19c77bf3d9e17ce5bf11d8ba10a751a91bd97f857771a17a6c4dc7ca4b24118182bd0f95972bcedb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f8837e707914c6d6fd2af7e4f6f4610

SHA1
2cadc656a0d582ca84404ade36d0a4da8cb1b6a4

SHA256
8333f147a38d6705013be9f71dc143e2ac276f9f3f680f7c16358e3ff131dc07

SHA512
cb7be0a116f03f40865a53af431cbe670d9a1322e5269daba118baab0a4e64f62cd8df5b61122d415c12d9184387b034596273fa501ee1403f75676e13f90f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat

Filesize
195B

MD5
5c4694bc7b2b4f50d46dec807f64372e

SHA1
edc42d6f505997c3e698e8ed3193faac190beb91

SHA256
70a10ac2abc6f6483f847ebc09ba4b8300d51c6a77c7993ca7eec92065e4ef50

SHA512
c9970c602051a07cd5a8cb2630b9e7170c336c17f74099cd5b9cda060f1779e77fc55b335de1c16180c7faa57eefb6946111293c64a963eb01473f1bf2b561c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat

Filesize
195B

MD5
fef9c08e7aea9fd9b96c1fffb6f49ea2

SHA1
2258aaa6123ffc664af04f0beabde12dd7429897

SHA256
7a77940af76ee6e3b2ba11d78f73b31776e4d8be1b387b5d56032a0fb1803823

SHA512
34704ec6c47fe083fe5399bc7bb81b0f69757d15b42a9fb522ef384df0d1090238355b7c02e96d670ccbb5224e748b458927afb8d37d5c9a11c5db33c1a8843c

Download Submit
C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat

Filesize
195B

MD5
5518923419f38468f766fd9d5f39905c

SHA1
079930921fe99186c684314ebf4314aac2e9ee6f

SHA256
9dacfb6c5ba22765a9f961cb274f10d6a523b5992c9b651013d7c7046cf16cad

SHA512
297bf51ccc8a5891609c8965fe3bab477870355a7d222366c2da7011a963ab79b0ed90589932f35b9b151a6c3972f1d33b7d164f62be210a2720a9fcdba8ff49

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat

Filesize
195B

MD5
e6197d75826c92ad314ae0a1a4f5d0cd

SHA1
70a7b6e10463bba015b1833f75bdfc69524d6567

SHA256
35612f8ad23885da2421dc64c265c1ffe41dbc61b499aacb09ea3178c98e97cf

SHA512
1dcb1900a99b7595181277570c04ee0df81ef500eaa9a910703001fb8306b2b105526498dae948fd85f0d9a2521b2aacfdc01f7a7645b768ac16f477e6ef0f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat

Filesize
195B

MD5
3bc73ef6d311c4cd514432de346ef6b5

SHA1
ddf9955f595f49ae68bbd9eca3dfccdacd5aee3e

SHA256
3d9a640e9bfe373b96a8a4124bc6557a1eff485036df02789e00f4350ca72859

SHA512
ffa4ddd33587433af9d368b7a7330ca41fe3a13a7c674e918e15f95157a6c780717369dc084240a843f675d180be8b6a06dce951c7635d10dd4c6bfd627b2dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1576.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat

Filesize
195B

MD5
0922a01244106c3a3c9fc8b1e39d417f

SHA1
0aa9e7e7adb9ead78b4e39c1cf5fff4c0bc6e5bb

SHA256
527cb0bff81d1c76e26589c23c842d89e16ffc9a421ffff81b929e406cf23f3d

SHA512
3ab126346d70c73bba6a84067fdfe01371264c50677d0676fc19d3243adc602a271620230c5136f0da2db5259b9867fee6ff600384de36abc7ebfb034f3312d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1598.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat

Filesize
195B

MD5
03a8954adfcaac50232321b6913defe0

SHA1
ae22eba96b0f6742b805390ee05b222ed3271fa1

SHA256
529da7296d976c164dc1dbd6e006c2fa33cbdde5f770b03347c7d39ceac9e3c2

SHA512
e788df9d3951a79b05cb58ec5e0310f535b58e4603c85da891bf93d8cb30164df70655d720e4960c59b4d7d804750c4fa38a2f11c94bbf24e4b21798876bdb99

Download Submit
C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat

Filesize
195B

MD5
deb08e9ee6d324c9a27ca345cb54de91

SHA1
7ae0ac353694df04b2283ca3c79321e7745080b1

SHA256
c256cd733cf05a40e61bad6c32767b4c01de8438574c8351b4c225024e6d57e1

SHA512
ed104564a3db51f063286ffa7825d8ed51a6f571ccc4b29134b2353872e9b53928f2ec4e4080fe5ce0995934911a5bfb4f42db4db11f2db2c1c6e3d29d409b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat

Filesize
195B

MD5
5ebacd37d1b04a28ce7e07bb80281dc7

SHA1
a332606c802107dc370267b9f0f6625d53d50a47

SHA256
65ac422cfe034e747308c3936b9b97fca52a9c0db96783478340126885d99203

SHA512
6f8b0d34221ad5ca8afaa7323357bc88ca7c3b07b5306410579e6364c7e8448ab58696e91e2e7fd5c80b580c5b1c6cfeee853c543a209d8c49b8b7d70ab2dde3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat

Filesize
195B

MD5
41b9478da5c268edb27b1ccb288eaa03

SHA1
59cc499ad891b4677d1b6e11657a03aab6278c5a

SHA256
7b4b0a8132ec54e0f878901f6379f36fc4fe6bc42280512abdb4100fb719bd8b

SHA512
3492a87908ff560dd264b7f60dfb9a1d5ffa0c63df642030a37379537b2dcbc4dd70587249fdd8a0ff51441a51ac5a4474129317c95aa2b146b8ff4af1c8ca3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1e9d189ddbda0823aa4f2e761f9553ff

SHA1
3ffff364976277d2c6056c1c22358b086a67a755

SHA256
f72db1cb50cc8a8267e708b0508458a9f17e2baec1e24f682650efb4a24a8a25

SHA512
4fa2bd71535960eede26f814d76690315c8c484026a762e0c6755bec4a988b371979cafa54ea7c4cb3abcf9236f7d19d5755970496facf26fb2f378d6a5b7221

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1208-352-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1572-531-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/1972-652-0x0000000000A40000-0x0000000000B50000-memory.dmp

Filesize
1.1MB

Download
memory/2260-48-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/2336-233-0x0000000000920000-0x0000000000932000-memory.dmp

Filesize
72KB

Download
memory/2344-591-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2344-592-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2540-55-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2540-54-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2584-712-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/2704-13-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/2704-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2704-17-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2704-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2704-16-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2904-173-0x0000000001210000-0x0000000001320000-memory.dmp

Filesize
1.1MB

Download
memory/3016-471-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download