dcrat | 3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exe
Size

1.3MB
MD5

29686d3ef9347f94d6151acf51a50a40
SHA1

c572d263b840e6339683c4f92dd9aa400a5b25b3
SHA256

3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116
SHA512

855f9380390ea03f9302dd0c389e42ab0c4ad3ad5b71743b7ce0fd811a0424a90d07295b81cbc121acf7bda7a130d7ccacdb7af858894de13ba81c1945f1e53b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2804	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2804	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x0008000000015d79-12.dat	dcrat
behavioral1/memory/908-13-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/1172-44-0x00000000009B0000-0x0000000000AC0000-memory.dmp	dcrat
behavioral1/memory/2936-80-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/1996-170-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/2304-230-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat
behavioral1/memory/2348-527-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2388	powershell.exe
1920	powershell.exe
2740	powershell.exe
680	powershell.exe
2712	powershell.exe
584	powershell.exe
2744	powershell.exe
1772	powershell.exe
1424	powershell.exe
1364	powershell.exe
2192	powershell.exe
2204	powershell.exe

Executes dropped EXE 12 IoCs

Processes:

DllCommonsvc.exeDllCommonsvc.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	Process
908	DllCommonsvc.exe
1172	DllCommonsvc.exe
2936	dllhost.exe
1996	dllhost.exe
2304	dllhost.exe
2656	dllhost.exe
768	dllhost.exe
1016	dllhost.exe
1988	dllhost.exe
2348	dllhost.exe
2808	dllhost.exe
1416	dllhost.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
2360	cmd.exe
2360	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

Processes:

flow	ioc
9	raw.githubusercontent.com
18	raw.githubusercontent.com
21	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
24	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

Processes:

DllCommonsvc.exeDllCommonsvc.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\en-US\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\DllCommonsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

Processes:

DllCommonsvc.exeDllCommonsvc.exe

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\ja-JP\sppsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\fr-FR\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2848	schtasks.exe
2772	schtasks.exe
2256	schtasks.exe
2536	schtasks.exe
1880	schtasks.exe
1240	schtasks.exe
2824	schtasks.exe
2656	schtasks.exe
1776	schtasks.exe
1472	schtasks.exe
2392	schtasks.exe
824	schtasks.exe
1996	schtasks.exe
2584	schtasks.exe
2924	schtasks.exe
2704	schtasks.exe
352	schtasks.exe
2748	schtasks.exe
2376	schtasks.exe
2644	schtasks.exe
2412	schtasks.exe
1016	schtasks.exe
1312	schtasks.exe
2180	schtasks.exe
2516	schtasks.exe
2952	schtasks.exe
688	schtasks.exe
1972	schtasks.exe
972	schtasks.exe
1640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exeDllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	Process
908	DllCommonsvc.exe
2204	powershell.exe
2712	powershell.exe
2192	powershell.exe
1172	DllCommonsvc.exe
1172	DllCommonsvc.exe
1172	DllCommonsvc.exe
1172	DllCommonsvc.exe
1172	DllCommonsvc.exe
2740	powershell.exe
584	powershell.exe
1424	powershell.exe
2744	powershell.exe
1364	powershell.exe
2388	powershell.exe
680	powershell.exe
1772	powershell.exe
1920	powershell.exe
2936	dllhost.exe
1996	dllhost.exe
2304	dllhost.exe
2656	dllhost.exe
768	dllhost.exe
1016	dllhost.exe
1988	dllhost.exe
2348	dllhost.exe
2808	dllhost.exe
1416	dllhost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	908	DllCommonsvc.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1172	DllCommonsvc.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2936	dllhost.exe
Token: SeDebugPrivilege	1996	dllhost.exe
Token: SeDebugPrivilege	2304	dllhost.exe
Token: SeDebugPrivilege	2656	dllhost.exe
Token: SeDebugPrivilege	768	dllhost.exe
Token: SeDebugPrivilege	1016	dllhost.exe
Token: SeDebugPrivilege	1988	dllhost.exe
Token: SeDebugPrivilege	2348	dllhost.exe
Token: SeDebugPrivilege	2808	dllhost.exe
Token: SeDebugPrivilege	1416	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exeWScript.execmd.exeDllCommonsvc.execmd.exeDllCommonsvc.exedllhost.execmd.exe

description	pid	Process	procid_target
PID 1968 wrote to memory of 2592	1968	3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exe	30
PID 1968 wrote to memory of 2592	1968	3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exe	30
PID 1968 wrote to memory of 2592	1968	3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exe	30
PID 1968 wrote to memory of 2592	1968	3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exe	30
PID 2592 wrote to memory of 2360	2592	WScript.exe	31
PID 2592 wrote to memory of 2360	2592	WScript.exe	31
PID 2592 wrote to memory of 2360	2592	WScript.exe	31
PID 2592 wrote to memory of 2360	2592	WScript.exe	31
PID 2360 wrote to memory of 908	2360	cmd.exe	33
PID 2360 wrote to memory of 908	2360	cmd.exe	33
PID 2360 wrote to memory of 908	2360	cmd.exe	33
PID 2360 wrote to memory of 908	2360	cmd.exe	33
PID 908 wrote to memory of 2192	908	DllCommonsvc.exe	41
PID 908 wrote to memory of 2192	908	DllCommonsvc.exe	41
PID 908 wrote to memory of 2192	908	DllCommonsvc.exe	41
PID 908 wrote to memory of 2204	908	DllCommonsvc.exe	42
PID 908 wrote to memory of 2204	908	DllCommonsvc.exe	42
PID 908 wrote to memory of 2204	908	DllCommonsvc.exe	42
PID 908 wrote to memory of 2712	908	DllCommonsvc.exe	43
PID 908 wrote to memory of 2712	908	DllCommonsvc.exe	43
PID 908 wrote to memory of 2712	908	DllCommonsvc.exe	43
PID 908 wrote to memory of 1396	908	DllCommonsvc.exe	47
PID 908 wrote to memory of 1396	908	DllCommonsvc.exe	47
PID 908 wrote to memory of 1396	908	DllCommonsvc.exe	47
PID 1396 wrote to memory of 752	1396	cmd.exe	49
PID 1396 wrote to memory of 752	1396	cmd.exe	49
PID 1396 wrote to memory of 752	1396	cmd.exe	49
PID 1396 wrote to memory of 1172	1396	cmd.exe	50
PID 1396 wrote to memory of 1172	1396	cmd.exe	50
PID 1396 wrote to memory of 1172	1396	cmd.exe	50
PID 1172 wrote to memory of 584	1172	DllCommonsvc.exe	75
PID 1172 wrote to memory of 584	1172	DllCommonsvc.exe	75
PID 1172 wrote to memory of 584	1172	DllCommonsvc.exe	75
PID 1172 wrote to memory of 680	1172	DllCommonsvc.exe	76
PID 1172 wrote to memory of 680	1172	DllCommonsvc.exe	76
PID 1172 wrote to memory of 680	1172	DllCommonsvc.exe	76
PID 1172 wrote to memory of 2740	1172	DllCommonsvc.exe	77
PID 1172 wrote to memory of 2740	1172	DllCommonsvc.exe	77
PID 1172 wrote to memory of 2740	1172	DllCommonsvc.exe	77
PID 1172 wrote to memory of 1364	1172	DllCommonsvc.exe	79
PID 1172 wrote to memory of 1364	1172	DllCommonsvc.exe	79
PID 1172 wrote to memory of 1364	1172	DllCommonsvc.exe	79
PID 1172 wrote to memory of 1424	1172	DllCommonsvc.exe	81
PID 1172 wrote to memory of 1424	1172	DllCommonsvc.exe	81
PID 1172 wrote to memory of 1424	1172	DllCommonsvc.exe	81
PID 1172 wrote to memory of 1772	1172	DllCommonsvc.exe	82
PID 1172 wrote to memory of 1772	1172	DllCommonsvc.exe	82
PID 1172 wrote to memory of 1772	1172	DllCommonsvc.exe	82
PID 1172 wrote to memory of 1920	1172	DllCommonsvc.exe	83
PID 1172 wrote to memory of 1920	1172	DllCommonsvc.exe	83
PID 1172 wrote to memory of 1920	1172	DllCommonsvc.exe	83
PID 1172 wrote to memory of 2388	1172	DllCommonsvc.exe	84
PID 1172 wrote to memory of 2388	1172	DllCommonsvc.exe	84
PID 1172 wrote to memory of 2388	1172	DllCommonsvc.exe	84
PID 1172 wrote to memory of 2744	1172	DllCommonsvc.exe	85
PID 1172 wrote to memory of 2744	1172	DllCommonsvc.exe	85
PID 1172 wrote to memory of 2744	1172	DllCommonsvc.exe	85
PID 1172 wrote to memory of 2936	1172	DllCommonsvc.exe	93
PID 1172 wrote to memory of 2936	1172	DllCommonsvc.exe	93
PID 1172 wrote to memory of 2936	1172	DllCommonsvc.exe	93
PID 2936 wrote to memory of 568	2936	dllhost.exe	95
PID 2936 wrote to memory of 568	2936	dllhost.exe	95
PID 2936 wrote to memory of 568	2936	dllhost.exe	95
PID 568 wrote to memory of 1012	568	cmd.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exe
"C:\Users\Admin\AppData\Local\Temp\3b51470647a4023cc8ce737dddaafc12faff349d9940e1a93a8d7cd47ca55116N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\ja-JP\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5oQSJwSTU5.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:752
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\playlist\audiodg.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\en-US\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe
        
        "C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1012
        
        C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe
        
        "C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat"
        10⤵
        
        PID:2136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1976
        
        C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe
        
        "C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat"
        12⤵
        
        PID:876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1772
        
        C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe
        
        "C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"
        14⤵
        
        PID:744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:824
        
        C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe
        
        "C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat"
        16⤵
        
        PID:2120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1344
        
        C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe
        
        "C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat"
        18⤵
        
        PID:1524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2728
        
        C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe
        
        "C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat"
        20⤵
        
        PID:1864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1740
        
        C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe
        
        "C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat"
        22⤵
        
        PID:1964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2908
        
        C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe
        
        "C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat"
        24⤵
        
        PID:1436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1808
        
        C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe
        
        "C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat"
        26⤵
        
        PID:2248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\lua\playlist\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\playlist\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\lua\playlist\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\en-US\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8445e568681ab5f572df763f5bc02dcb

SHA1
f2081b61ea8eea6c02ac78f74e0f47c6ec676c8b

SHA256
74dfc6377cbe356d0f63b493eb0727871813eb5cb2e5ca8d56b5ba8248462518

SHA512
01c3dfcd2cdfdb8b909b52d6c5ff00c1e7fa80cd4e77e14145cb51c7c283b71c70ec5afabee9665c4ac34e5e73c6fae16b4b60e7a63ea7faf03a6b17f0dd97ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4dbf0537288d354944a9285e7624c057

SHA1
f5e046b3a34c327fdf46b6704bd107e5a732564b

SHA256
ef704b86753d3ff80438bf7949ce46b2089c419da9318f3ef5dbd4937948b489

SHA512
4c83355b2b8a11f45714c825737052af8fa93159090cbc20e86fab0cca021aa829dbaa5f58b6c76395dbfe3dcb3c78cfe85d60eb562a73afc2e3e47601b293f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c486dee697063e51c499ff71068f2a8f

SHA1
4479a9829da04af72294cc746c61820830e81209

SHA256
57637a8a6f2b555987ff9ce20efbcf21329783a270403fd946071754af4ea604

SHA512
fb303a926f61654896cbe49f201ec5b01b7c2957773f5a713acefa440e5e5d3424c607c2485624c3dac6a588a8dc010d0396702ac90956bba17d77cdde045075

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e98e2bd5d46fbc8f9e184afd2aa8dc97

SHA1
eccc97151d4c3653d2f1525d9f549036e771b974

SHA256
4fe929f0f9ed917eb7a7cec9c2d0954addd9d48ac8d81da6962d26f33d3026e0

SHA512
fdf739ef3b9866a3e55e6b82bf1c0f48a2694f8c50de790f50f3d9cf50949ec92cc5c19f1a055ca96d975921be931bb7f579e981a83aadb4bddc96af6420611c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04f97d33a91260cc5461d5eedd6096bb

SHA1
6e9b1135167486379fe864ebfbf75bc8341d3262

SHA256
eee9ca25179a5db3079b02e209202ebcc7161d046535ffb245150de3eeef17c3

SHA512
75532f5de08b03562d6d8f4def78fcf1e53183f417682321ad7be9ad4e38fdfe7acd234c3c79f277b16ece634984d02ae49fca15f02e3dd0244ee90dfb8de36c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f0e69fc19fde284338b6d73ef4a8826

SHA1
703592954bb8e198c4a75018c07a49ed4224c604

SHA256
c0f34f54b90e209dc75e61fb9a5faf82d64cb6880fb512b8753ab18c61fc536f

SHA512
1ee3db3d1dff06e2102bd41926780cf00361a35d30f7b0d9560dc9e9e54b26de8f846ac1e32f5ac5f4b5c6996e1a154a01cade5825a3cc3928b5fb3cb07f4107

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fadb50d0b15dd965dd79f78ca4493812

SHA1
2df645827e3c7d3079ad85d36c46dc31d914cd8b

SHA256
ebd9c5b2b6c59bf020ed3bfcda6b2be62dc019a75ffc105c54436b0000d32b89

SHA512
5cd3967af94fd6ee0deab20bef13211f95d0b4a21f65fa97ee31001fe92190022e0af4fd32bd9b8a3b0d0df793b1dbf79a5d355e51cedbf03aafb92738ffe6c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61226958f23328559b89f634c8bc512b

SHA1
e9fac7641577b7e0616498f4115ba7a1c8641627

SHA256
c5df2c9815fd90f553433d7893b3c2c5a941cbddab9105b157cfde1463a543df

SHA512
ec2b4ac5caf839281c4501c55dae633947cf66e64310afa02c5152536512c1fe0c98c046794a065c4d478aedcfea268e8e237d94f7f4e4c961a7b9b3dc6874c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d384b9ea7e08e174926267cb023d9072

SHA1
8e05f70abd46605e4d1be50b3880cb5142e865ec

SHA256
82ce58a1ce013eebea2839202e6b5c55afd887cd7216fa764895a5932bb99710

SHA512
1d0cebeffcfb8ba82f8b64bdb0fb0204cf3216518276dea35eea565c9314679d28d5f4762dd3c97ca2437bda81e50688151c88575875aa2ee93836305b38b068

Download Submit
C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat

Filesize
220B

MD5
f5df7dc3ef03d4c4f1006c46977554b5

SHA1
c885a8f7ecd5c2af05e5b049ef767751a9abcbae

SHA256
4293143cb48891a9085b7dc3e0a8a7fcbc591b2cb5d4ea6ea0cd6ac7b2cf08c8

SHA512
2f100b653bc29d7f8823be69fde5e52dde5de80722b90db7cb107c479890ef04e73822d92ea561c41d0fc9b372f81983d27932ac040a40376e2e4ff493925824

Download Submit
C:\Users\Admin\AppData\Local\Temp\5oQSJwSTU5.bat

Filesize
199B

MD5
4205300563381855ac7d9bf3a21c0277

SHA1
27954f2c3dd819cbbf23f986aeca96c26d798a7a

SHA256
d3590d2f2e02704a6d02dbcd71093ab2c947b1e855f5603afc6fa78c099b7204

SHA512
a32bc2d30e0c18070e41b88e7f61b470fa2dca0aa54e6d833bdfbc51d97e74ffd079454eea2f10130d340a5d3ccf545f993a2cd0fea4148823e213c5be4ea3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat

Filesize
220B

MD5
45c832b837445e435c718c29424a1750

SHA1
91afe0e5883a403766b88aca3a19affaadb0177c

SHA256
9fd45a7f0a975cd6c9d33d3109b3634012a9e61e99fa68d23cda0459122a6245

SHA512
881b8123e2c3fd6bd1b4fe21f853c7a0aa4339264809cc12985b778deaccafcad667c10f32a011bca5c23f402f4be2a249fb2ddc382ce34238dceab772cf43f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDA98.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat

Filesize
220B

MD5
8e020cd351e377edae0f587345d9e705

SHA1
162e6d9db0df93b829e62d82272424b7cdaa1234

SHA256
8ba7193b9ac867f81bc4e9c34ac794e38b50afc496d8bd6ddb1ddc260a337efb

SHA512
5adb7664b49586fc43b9194a97e849bb20c00c5c172231c79030e1107efe799bdef5aa833cf890edda70c5865fe5ac5e440bb5b63f8441aee806466dee8f86fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat

Filesize
220B

MD5
09a8bae0075a64ed69c692801b431002

SHA1
2a413a3b5f31247134ba7e41270a965c6f1c89f0

SHA256
a88f1e5f49c0f8fa363c66eb8703be2e7d31784d4c6263263a4f701dd49f7786

SHA512
c15fd6ffb59f0e7030f030fd2a4ec49ff535e66fc21971360d12ba7168f5d65620cee141807f42c68cb5fab8b73515e9166959d0f7d634570a6237e764731223

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDAE9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat

Filesize
220B

MD5
442944b159ff95c572d7251fb7bf56ec

SHA1
b2aa5f66d271949f73a31c30f9dda9af214b00a0

SHA256
217ef0a32f62f207df772a2b56d23368f2b668f80cb5a72b89381c92327d5532

SHA512
0758b7082bb7fc2867f539c033acdc6bd54132125e37035db6509a6585fff2b764c02142132ee792410c5482eab08e1de8671d1c517b85aa68c244551bb16b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat

Filesize
220B

MD5
c23008fc8463fc72025b18fb9d43e84e

SHA1
9bba7c6cfdcc68fe3d576f394ee52565b1213bb5

SHA256
1bd47a345221ceb074355dd4b9da01f70e68ed4b7d8746f08c95df75c88c06ae

SHA512
9257d60e21f95220b672215d64e97d1aef5201ce59de4936a0e25ffb37c571ff8cd3fff351ff4ad6ff22e17079f34f0b1a1e1866a8b92cc8d472fd90c47b1f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat

Filesize
220B

MD5
a1c334aa124a052acf49cca201206ba1

SHA1
a67d75fb4e5e35c83aaf9465f7dfed178565c552

SHA256
dbf446954489b006abc87a5c195094888936b1ed31d91c09b9b6a37343baddc9

SHA512
ca2754addb5dd94cab4b65ac0ddeb31d16db001033797a6ab48556b943e03107f5153a77eee9a74d381a9672a8030cfeb1a927f419def11b7024f8df413196ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat

Filesize
220B

MD5
55b0415e8528b5d613572e78ca770f9d

SHA1
a436eef107f538e669a37121a097554be7eada4b

SHA256
b4e65de7204a248bad8f0fc2167f09b770d37ada0923fb2932224d287ae50943

SHA512
5aa53f9a1b4aec8f555e5ce29683bff515bab4722c3f9fcd55c95c25e816d8948536461eb31e99b2c9756004828a50414feecf5cdd8d36fd3c2a6d6f78132119

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat

Filesize
220B

MD5
48dec10ce74a12637896ea4de2677036

SHA1
9a60051d47975012a64d38ef2a9870cfe3f7da08

SHA256
f4e7c36c12750c4e923ef4b8248bd945225237af1a0a97bb4836e0f38f3c963e

SHA512
804eb0d0fb2c3f47f554bc73c4e58847459bdce5b0573f1ab73e54011c628ac23a356b53695cb8be74577fbd1470749bb6ecc0a62abe68d0d4d0c77624abe8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat

Filesize
220B

MD5
0f551efef242bb7e062b6accc266d2dd

SHA1
687c85b883f1cd89e3acdc75d15ce3f4a4b37f82

SHA256
b8e84eb8360a25e832c96b2b4c6e22d41c128b01e28d0377201bc335f2c30076

SHA512
50dae36433a0feb03089b0ff8ba28dbbc189d5d37c71d2e1fb71aae6808cbbcbb8a7886b67d57cc8680b734d910a56ba71cdeb3c32ceaa729be605f67df2da9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
399166f2e7df0c662eb57da620abe347

SHA1
62c60fef7e500f5afa6e9e43cab40b246af751f5

SHA256
d299e612c9a50c4c7811d128385cf4985fa75f8830133c538ff13cc2e86f506a

SHA512
d01717ff6da92ff49749174b740cf923b30c767607688ffc2148d4f5cdee5d80b36ea633b636dfd02c8dfa1be218f14999fbdeae8b7fd77820ee8c273cadef1b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/908-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/908-13-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/908-14-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/908-17-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/908-15-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/1172-44-0x00000000009B0000-0x0000000000AC0000-memory.dmp

Filesize
1.1MB

Download
memory/1988-467-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/1996-170-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/2204-42-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2304-230-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/2348-527-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/2712-41-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2740-71-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/2740-70-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2936-80-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download