dcrat | aa3d1f0544d820f50272b2906899aade4528c19d98588b151072e2c33e144c36

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_aa3d1f0544d820f50272b2906899aade4528c19d98588b151072e2c33e144c36.exe
Size

1.3MB
MD5

7118285af78dee239d39bc84ada97740
SHA1

df7c25ec4e9dd2b9dc97ddd0a4c35b586a4eb0b1
SHA256

aa3d1f0544d820f50272b2906899aade4528c19d98588b151072e2c33e144c36
SHA512

f8f4b5cdf3d98412e2074764bd003f09c30cdac2da733cf223c76317903df6c0c72dac0b79287cd64959773b77b535ccfb0ac3e977f32d7fdcc024f7c48ee119
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2876	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000192f0-11.dat	dcrat
behavioral1/memory/2220-13-0x0000000001170000-0x0000000001280000-memory.dmp	dcrat
behavioral1/memory/1468-122-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/560-182-0x0000000001150000-0x0000000001260000-memory.dmp	dcrat
behavioral1/memory/1600-243-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/1652-303-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/2568-364-0x0000000001060000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/2920-542-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/780-602-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3048	powershell.exe
3064	powershell.exe
820	powershell.exe
2216	powershell.exe
2156	powershell.exe
1436	powershell.exe
888	powershell.exe
2268	powershell.exe
536	powershell.exe
2072	powershell.exe
3060	powershell.exe
1296	powershell.exe
2172	powershell.exe
2240	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2220	DllCommonsvc.exe
1468	csrss.exe
560	csrss.exe
1600	csrss.exe
1652	csrss.exe
2568	csrss.exe
1044	csrss.exe
980	csrss.exe
2920	csrss.exe
780	csrss.exe
3000	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
1256	cmd.exe
1256	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\56085415360792	DllCommonsvc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\schemas\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Registration\CRMLog\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Windows\schemas\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\schemas\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\SchCache\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\56085415360792	DllCommonsvc.exe
File created	C:\Windows\Registration\CRMLog\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aa3d1f0544d820f50272b2906899aade4528c19d98588b151072e2c33e144c36.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2456	schtasks.exe
2432	schtasks.exe
1324	schtasks.exe
932	schtasks.exe
2452	schtasks.exe
2972	schtasks.exe
2596	schtasks.exe
2388	schtasks.exe
1532	schtasks.exe
2624	schtasks.exe
1860	schtasks.exe
2180	schtasks.exe
1136	schtasks.exe
3028	schtasks.exe
348	schtasks.exe
1676	schtasks.exe
1804	schtasks.exe
2628	schtasks.exe
2336	schtasks.exe
2656	schtasks.exe
2896	schtasks.exe
972	schtasks.exe
2964	schtasks.exe
1424	schtasks.exe
2496	schtasks.exe
2944	schtasks.exe
2276	schtasks.exe
732	schtasks.exe
1524	schtasks.exe
1668	schtasks.exe
528	schtasks.exe
2664	schtasks.exe
936	schtasks.exe
1932	schtasks.exe
2940	schtasks.exe
1772	schtasks.exe
648	schtasks.exe
2040	schtasks.exe
288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2220	DllCommonsvc.exe
2220	DllCommonsvc.exe
2220	DllCommonsvc.exe
2220	DllCommonsvc.exe
2220	DllCommonsvc.exe
3048	powershell.exe
3060	powershell.exe
888	powershell.exe
2072	powershell.exe
2240	powershell.exe
1436	powershell.exe
820	powershell.exe
2156	powershell.exe
3064	powershell.exe
2268	powershell.exe
2216	powershell.exe
1296	powershell.exe
536	powershell.exe
2172	powershell.exe
1468	csrss.exe
560	csrss.exe
1600	csrss.exe
1652	csrss.exe
2568	csrss.exe
1044	csrss.exe
980	csrss.exe
2920	csrss.exe
780	csrss.exe
3000	csrss.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	DllCommonsvc.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	1468	csrss.exe
Token: SeDebugPrivilege	560	csrss.exe
Token: SeDebugPrivilege	1600	csrss.exe
Token: SeDebugPrivilege	1652	csrss.exe
Token: SeDebugPrivilege	2568	csrss.exe
Token: SeDebugPrivilege	1044	csrss.exe
Token: SeDebugPrivilege	980	csrss.exe
Token: SeDebugPrivilege	2920	csrss.exe
Token: SeDebugPrivilege	780	csrss.exe
Token: SeDebugPrivilege	3000	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2128	2396	JaffaCakes118_aa3d1f0544d820f50272b2906899aade4528c19d98588b151072e2c33e144c36.exe	30
PID 2396 wrote to memory of 2128	2396	JaffaCakes118_aa3d1f0544d820f50272b2906899aade4528c19d98588b151072e2c33e144c36.exe	30
PID 2396 wrote to memory of 2128	2396	JaffaCakes118_aa3d1f0544d820f50272b2906899aade4528c19d98588b151072e2c33e144c36.exe	30
PID 2396 wrote to memory of 2128	2396	JaffaCakes118_aa3d1f0544d820f50272b2906899aade4528c19d98588b151072e2c33e144c36.exe	30
PID 2128 wrote to memory of 1256	2128	WScript.exe	31
PID 2128 wrote to memory of 1256	2128	WScript.exe	31
PID 2128 wrote to memory of 1256	2128	WScript.exe	31
PID 2128 wrote to memory of 1256	2128	WScript.exe	31
PID 1256 wrote to memory of 2220	1256	cmd.exe	33
PID 1256 wrote to memory of 2220	1256	cmd.exe	33
PID 1256 wrote to memory of 2220	1256	cmd.exe	33
PID 1256 wrote to memory of 2220	1256	cmd.exe	33
PID 2220 wrote to memory of 2172	2220	DllCommonsvc.exe	74
PID 2220 wrote to memory of 2172	2220	DllCommonsvc.exe	74
PID 2220 wrote to memory of 2172	2220	DllCommonsvc.exe	74
PID 2220 wrote to memory of 2268	2220	DllCommonsvc.exe	75
PID 2220 wrote to memory of 2268	2220	DllCommonsvc.exe	75
PID 2220 wrote to memory of 2268	2220	DllCommonsvc.exe	75
PID 2220 wrote to memory of 2216	2220	DllCommonsvc.exe	76
PID 2220 wrote to memory of 2216	2220	DllCommonsvc.exe	76
PID 2220 wrote to memory of 2216	2220	DllCommonsvc.exe	76
PID 2220 wrote to memory of 536	2220	DllCommonsvc.exe	77
PID 2220 wrote to memory of 536	2220	DllCommonsvc.exe	77
PID 2220 wrote to memory of 536	2220	DllCommonsvc.exe	77
PID 2220 wrote to memory of 3048	2220	DllCommonsvc.exe	78
PID 2220 wrote to memory of 3048	2220	DllCommonsvc.exe	78
PID 2220 wrote to memory of 3048	2220	DllCommonsvc.exe	78
PID 2220 wrote to memory of 2240	2220	DllCommonsvc.exe	79
PID 2220 wrote to memory of 2240	2220	DllCommonsvc.exe	79
PID 2220 wrote to memory of 2240	2220	DllCommonsvc.exe	79
PID 2220 wrote to memory of 2072	2220	DllCommonsvc.exe	80
PID 2220 wrote to memory of 2072	2220	DllCommonsvc.exe	80
PID 2220 wrote to memory of 2072	2220	DllCommonsvc.exe	80
PID 2220 wrote to memory of 2156	2220	DllCommonsvc.exe	81
PID 2220 wrote to memory of 2156	2220	DllCommonsvc.exe	81
PID 2220 wrote to memory of 2156	2220	DllCommonsvc.exe	81
PID 2220 wrote to memory of 1436	2220	DllCommonsvc.exe	82
PID 2220 wrote to memory of 1436	2220	DllCommonsvc.exe	82
PID 2220 wrote to memory of 1436	2220	DllCommonsvc.exe	82
PID 2220 wrote to memory of 3060	2220	DllCommonsvc.exe	83
PID 2220 wrote to memory of 3060	2220	DllCommonsvc.exe	83
PID 2220 wrote to memory of 3060	2220	DllCommonsvc.exe	83
PID 2220 wrote to memory of 3064	2220	DllCommonsvc.exe	84
PID 2220 wrote to memory of 3064	2220	DllCommonsvc.exe	84
PID 2220 wrote to memory of 3064	2220	DllCommonsvc.exe	84
PID 2220 wrote to memory of 888	2220	DllCommonsvc.exe	85
PID 2220 wrote to memory of 888	2220	DllCommonsvc.exe	85
PID 2220 wrote to memory of 888	2220	DllCommonsvc.exe	85
PID 2220 wrote to memory of 1296	2220	DllCommonsvc.exe	86
PID 2220 wrote to memory of 1296	2220	DllCommonsvc.exe	86
PID 2220 wrote to memory of 1296	2220	DllCommonsvc.exe	86
PID 2220 wrote to memory of 820	2220	DllCommonsvc.exe	87
PID 2220 wrote to memory of 820	2220	DllCommonsvc.exe	87
PID 2220 wrote to memory of 820	2220	DllCommonsvc.exe	87
PID 2220 wrote to memory of 1584	2220	DllCommonsvc.exe	100
PID 2220 wrote to memory of 1584	2220	DllCommonsvc.exe	100
PID 2220 wrote to memory of 1584	2220	DllCommonsvc.exe	100
PID 1584 wrote to memory of 2924	1584	cmd.exe	104
PID 1584 wrote to memory of 2924	1584	cmd.exe	104
PID 1584 wrote to memory of 2924	1584	cmd.exe	104
PID 1584 wrote to memory of 1468	1584	cmd.exe	106
PID 1584 wrote to memory of 1468	1584	cmd.exe	106
PID 1584 wrote to memory of 1468	1584	cmd.exe	106
PID 1468 wrote to memory of 2844	1468	csrss.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aa3d1f0544d820f50272b2906899aade4528c19d98588b151072e2c33e144c36.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aa3d1f0544d820f50272b2906899aade4528c19d98588b151072e2c33e144c36.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JvQT74mmCP.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2924
      - C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"
        7⤵
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:352
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat"
        9⤵
        
        PID:1656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1044
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"
        11⤵
        
        PID:2616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1584
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"
        13⤵
        
        PID:1308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2044
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"
        15⤵
        
        PID:2368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2128
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat"
        17⤵
        
        PID:1684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1600
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat"
        19⤵
        
        PID:1748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2972
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"
        21⤵
        
        PID:1324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1720
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat"
        23⤵
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3044
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\schemas\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\schemas\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\SchCache\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\SchCache\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Registration\CRMLog\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Templates\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49c6cb9c80f1779b9f61cb5fc253de74

SHA1
2b90cdd7279b4ac417d57d2be1cd6b81e1f944c1

SHA256
f88d539d07073684ac9ea098a58ecda8e017d66626aa82f8674654245203453c

SHA512
219a0c29c2901da6296bbe907b5e84de4724f6821c98a5037a48f0413f993e4d59e6857bca69a0f04cea140a301e6aa136f99655836ec866a69db73dd636fd9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d1cc90afb0345fdefc78da237a6caaf

SHA1
4b8e27d9977aeed9e0d559c24e2969189f408cf6

SHA256
adbd346ad3049b3fa895c28f352965e283099d5ea4df3ff2f3d14ab252c237a1

SHA512
5c72616d3fb5f350db0d36eee5605df17bdf940aec4fbef46442a0280e94756e03420c1daa4c27ca910928e75e75c9893da45d6e21b60c56d8608fce748581a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49c86a62ec689e6b1c3aede0d1b659ef

SHA1
559d14f4f393b332af0936b4caf25eaa1859396a

SHA256
4b481b553fed9bb4c00523f34b2e0979a7deda696d3d4325463c950d54453b9f

SHA512
478e9c48679b7d5901080aa4696916a132e908e042229b23c5820aac9e8d8b5f51e5ead0393899ba9244d8002dbfb447255d4209f5f812d24ae20ed6c8ca43b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfba3ffd5384613ee54efb1e7442b170

SHA1
497dbc590fc63c77ddddf7fc14c277f4241df9e6

SHA256
74e8081c342b5e2f733630595b4505f010eae4cc0ee70c35f291091cb79ff2c7

SHA512
a19271f57b06bf9aba94ec7c83b05c2d943c90c0219e75bc98b36bd4196e07b916c94ef8cb52d3edfaea7fa463db3b782dd4294ddb30e65dac00146f4b7cf0dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7f18d34adb44e9988ccb1e8dbe00859

SHA1
106887c1a26f1d8a3c4e6980f4434feb34d01d37

SHA256
f401cf2c63d6a2278d9fc697ad40c06293f1e86f00376b32f36713ba068301d3

SHA512
b41dd377657b89c0cbedc9e91d7fb1e009d1ac8f28d31c3c44f72c6991545454deeb45c057c806c6947f5543b748032dbe56dae890c72c6bde07af572758a589

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d3f8cb7e3e4887671a0ff8f45f4d871

SHA1
9a13887b26bb99f0ac9a497f0df6a39fabb0d25d

SHA256
96459208e938a9ccfbf561710085b382c9c43994637a65902e21f4fb93cf486b

SHA512
efb70a4e0b5968a770496713e6d5147d8c6a29b5e84d32126e6264bf02858784a3f6807c9f60ebf48e0d59d6c5b5e2d0fbb07e2ae585df62ea8a7b4d70a1550a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e224c2e8b463873756976f8d4afde45

SHA1
8871b6b1ccdbd59d1454a3e364d2878ad7c32590

SHA256
bceec02896bd0bbb3f406530e6e07171f4e5d1dd32691a4ab6c98f1199d36596

SHA512
c62f0c0bc1fad50443038dfe8ccb04a5aad73b30e811d4d18523d958201d0227a1339aec6d17cd2a1919e04a8007e81783291c5530aa756e80e8cc620d1a23b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c071e65a7f8eed22f39cdf2cd644282

SHA1
c0871efe0b41ae6df2cbdcbdc38ca2ffd067e9db

SHA256
3804c0672aed6bdff4244f00896823f68208767e0f447ce707ba21a13e625e2f

SHA512
5fe6bbfd4537f793f3e1dc4cebd2732d32ff63d10cfad1733e13cf327e1080660fb43c05450176772efeaf28cbab78f58e3b9fb8e3bf6272a65f36b830efa1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat

Filesize
196B

MD5
1404df0d19b53c4235adc032a06b8bdd

SHA1
178c1bd40cbfb6c77724f7609df484cb3a319ddc

SHA256
2061011b0ca1770251dbfd18f70ccc039b5b4155c9c1404270b6f7f7bfde5529

SHA512
a39a4b583a24ff4cddef87be8b03e360ae3bd8b226793517b44921948ed8ed84f4506651147f56c80ea21f6e51807a99728a4e5cdb54bf1f0521979202a45ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat

Filesize
196B

MD5
fb14259e71fcd52fbeb1a0440826e4ea

SHA1
10ff3beefb9822bcb6bb0784c81f8f1a9098f725

SHA256
0fd1ae84e8debd556457bea4966a78666a132fc60811b7e1487e1b15a5eaf296

SHA512
4068c6f70847058b55c58188c23ce293617f51b236b02187ef5ca4c347cae9e4a6667a1cf070d40d631bc3270ac6078c1a5e68426f073613a68e310a438dc84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat

Filesize
196B

MD5
420ecb0bda46774d031dc2226a048071

SHA1
f4a3924941108f50f58710dff80146d8fc027a47

SHA256
720901c1f74c5c4ec7360e563eb507cd30fb954b123bc386a9bba10c6cce4f7b

SHA512
9a99cf68daa5a88a735ae5da8f9eaa42abbff003a01fff44652edd20eb37001ac9c8950910f23ba7f4e9c2375d981ded522da170ebf6a9cece5f09bf6e2c4f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabED00.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JvQT74mmCP.bat

Filesize
196B

MD5
eb48d043ba03ed387b56c9aca7a19112

SHA1
42ded4491220e1160ab2669363e705ba1cf07279

SHA256
9df294d6ea480ae0100feda2fbc350e7ca20b77fad219eb5faf735ee471bc058

SHA512
f386af5d07b9f747db8e889619d5a30eafea284627ef10f6814cb58574718e1c0bf7e6a64f4c1c8c74f63c5350b1e50dfbaa24de8a4afbf542babd795dd08629

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat

Filesize
196B

MD5
d2a82773f2b8e60302a960ac9538a0b2

SHA1
ac86f382b99d224a5be95798bcd113c1b5c0a5c8

SHA256
dd6e335d261b23598e0d91ccadd77cbe0ff425dd4e9a9418db668c518d806431

SHA512
c19226ed97d119e188502d4074eaa5ba0a0efa99b491a4418cd280044c70927175e398d347afca5faded3711ea3e11af60ae8632feb3593df57f43bccc9d1be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat

Filesize
196B

MD5
802f3fba180a95b58ab5c2f35b483e32

SHA1
6b85c8fee7959427e51b47b6e32ab64a9daf58ec

SHA256
9dff0d96ea3cf60a509207145c06c00750437454e35053a90b1c0c5cc77ac05f

SHA512
630efca49b52b75c3fe688ff10ac387e673dad52450b59f9976aeffc9ac5a84e395814ac2b595129f6d5ec838982a4e121385e80be27e10cad17d82fe6d8a145

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarED12.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat

Filesize
196B

MD5
57c698fad029f94e76a3da8610871c55

SHA1
9345dcbcf61c31716f023e2744ca7835924a794e

SHA256
fbd4189542a364f92d3a9c69d0d37dcac088bf46649ee03f2d571896b778c008

SHA512
bc0940f8e4b832babb7bbb2227c1ca4facb2bbeef0de3046c28f26d7ed510fbaea206997bca3f59588fd6a0ba67e527360a9f1f26fb8ac1d43df0f0438966c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat

Filesize
196B

MD5
886bc2196d9eed10910304910198fa6e

SHA1
55a3af8a1da15bd46bf3dbaf4fd8c98a9c241232

SHA256
93f8f11878d01dfdb51fcd222bca1971a7cad2ecdaf4911af5effba15110ec70

SHA512
35fa3ec601a151ae314b7d9449a23b76a577825e92123fc8ecb094309d87cdac007289f381ac63d52db8ae7a64826e05308a976034e583063d937ca11b484bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat

Filesize
196B

MD5
8fe8402775bfcf7c85adc4fbd8a9a28b

SHA1
314de6eca0d90e23239a06dd5e08d48b9bfc7f97

SHA256
d0830ec5d1c702938fac313fa9b5f13a22a37a49fc88d6d4714ad96c2ae3a61c

SHA512
12663bb1e162c7d87effffb8077816ebe4169ee5a957a00219b1fd94c2e8d6a270052c99bebff8e6efa24b48043ceaa51a083866cb1cbef01058a685da2aab32

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat

Filesize
196B

MD5
afb3e3f1eddbe20e5fb4cebcda9ceb1e

SHA1
036521a87b6c6f54eb5941f7c96a6cc23f4b8ef0

SHA256
6af8d7fb1f4b9b0fe425e8a9e2c76f36e58d87a10b10db052f2f4cf5c9f8bf8d

SHA512
a35e3e883195631262f66017c30b32329c181c4a2f32f7fb8ae840e9276db3da3baecf8349c292b86bba0874f1041dd054391447313841eda08f3aeee03907c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
740a9ed644f9f641c036daa37b8fadeb

SHA1
15512a94e0610da0256a8f27748f95da2066757f

SHA256
ac0d58df13500c80679523df28231f86394672c7333178cda167a2335b9458c3

SHA512
2d02be5f823ee347c8913f4c24d72c2dc7754ce74f5636d3881a91522e4e6fc57735d8677f0f86104939ce6373b832cf95b3116199e38c174a6e3c13ba67cfa3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/560-182-0x0000000001150000-0x0000000001260000-memory.dmp

Filesize
1.1MB

Download
memory/560-183-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/780-602-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/1468-123-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/1468-122-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/1600-243-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/1652-303-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/1652-304-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2220-17-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/2220-16-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/2220-15-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/2220-14-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2220-13-0x0000000001170000-0x0000000001280000-memory.dmp

Filesize
1.1MB

Download
memory/2568-364-0x0000000001060000-0x0000000001170000-memory.dmp

Filesize
1.1MB

Download
memory/2920-542-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/3000-662-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/3048-54-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/3048-53-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download