dcrat | 1dd55197686faec9166ce6ff1e7cd9a7950b95fdca49c20db273c0b6131c6cf4

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dd55197686faec9166ce6ff1e7cd9a7950b95fdca49c20db273c0b6131c6cf4.exe
Size

1.3MB
MD5

1eff34c713968be70953873e8674dbd6
SHA1

8614954103af994d677e2ce040c65a9c57210b76
SHA256

1dd55197686faec9166ce6ff1e7cd9a7950b95fdca49c20db273c0b6131c6cf4
SHA512

20c5a35850d9305252c80bb04be702fcf7dddc99cb72596458475d3ac4337b303924082aa6d57f3017ce97fbb0ab04000426d2065ed9550c49ddc04205b3fbc9
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2904	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016875-9.dat	dcrat
behavioral1/memory/2992-13-0x0000000000D00000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/memory/2376-105-0x0000000000E90000-0x0000000000FA0000-memory.dmp	dcrat
behavioral1/memory/884-223-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/2712-283-0x0000000001340000-0x0000000001450000-memory.dmp	dcrat
behavioral1/memory/2880-403-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/1832-463-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/1756-523-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/1272-642-0x0000000001020000-0x0000000001130000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
620	powershell.exe
568	powershell.exe
880	powershell.exe
2116	powershell.exe
884	powershell.exe
1312	powershell.exe
1696	powershell.exe
1992	powershell.exe
772	powershell.exe
1660	powershell.exe
1248	powershell.exe
1288	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2992	DllCommonsvc.exe
2376	conhost.exe
2744	conhost.exe
884	conhost.exe
2712	conhost.exe
2328	conhost.exe
2880	conhost.exe
1832	conhost.exe
1756	conhost.exe
2420	conhost.exe
1272	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
300	cmd.exe
300	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\ja-JP\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\images\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\ja-JP\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\images\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\winlogon.exe	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\rc0005\explorer.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dd55197686faec9166ce6ff1e7cd9a7950b95fdca49c20db273c0b6131c6cf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2592	schtasks.exe
2280	schtasks.exe
1396	schtasks.exe
1164	schtasks.exe
2664	schtasks.exe
2740	schtasks.exe
3044	schtasks.exe
2340	schtasks.exe
1184	schtasks.exe
1256	schtasks.exe
2424	schtasks.exe
844	schtasks.exe
2008	schtasks.exe
2672	schtasks.exe
2944	schtasks.exe
2712	schtasks.exe
1828	schtasks.exe
1752	schtasks.exe
1732	schtasks.exe
1764	schtasks.exe
1960	schtasks.exe
1968	schtasks.exe
1704	schtasks.exe
1824	schtasks.exe
1132	schtasks.exe
2012	schtasks.exe
2700	schtasks.exe
2832	schtasks.exe
2204	schtasks.exe
2836	schtasks.exe
2208	schtasks.exe
2184	schtasks.exe
2232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2992	DllCommonsvc.exe
2992	DllCommonsvc.exe
2992	DllCommonsvc.exe
2992	DllCommonsvc.exe
2992	DllCommonsvc.exe
2992	DllCommonsvc.exe
2992	DllCommonsvc.exe
884	powershell.exe
1696	powershell.exe
620	powershell.exe
880	powershell.exe
1248	powershell.exe
1992	powershell.exe
568	powershell.exe
2116	powershell.exe
1312	powershell.exe
1288	powershell.exe
1660	powershell.exe
772	powershell.exe
2376	conhost.exe
2744	conhost.exe
884	conhost.exe
2712	conhost.exe
2328	conhost.exe
2880	conhost.exe
1832	conhost.exe
1756	conhost.exe
2420	conhost.exe
1272	conhost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	DllCommonsvc.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2376	conhost.exe
Token: SeDebugPrivilege	2744	conhost.exe
Token: SeDebugPrivilege	884	conhost.exe
Token: SeDebugPrivilege	2712	conhost.exe
Token: SeDebugPrivilege	2328	conhost.exe
Token: SeDebugPrivilege	2880	conhost.exe
Token: SeDebugPrivilege	1832	conhost.exe
Token: SeDebugPrivilege	1756	conhost.exe
Token: SeDebugPrivilege	2420	conhost.exe
Token: SeDebugPrivilege	1272	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 444	2156	1dd55197686faec9166ce6ff1e7cd9a7950b95fdca49c20db273c0b6131c6cf4.exe	30
PID 2156 wrote to memory of 444	2156	1dd55197686faec9166ce6ff1e7cd9a7950b95fdca49c20db273c0b6131c6cf4.exe	30
PID 2156 wrote to memory of 444	2156	1dd55197686faec9166ce6ff1e7cd9a7950b95fdca49c20db273c0b6131c6cf4.exe	30
PID 2156 wrote to memory of 444	2156	1dd55197686faec9166ce6ff1e7cd9a7950b95fdca49c20db273c0b6131c6cf4.exe	30
PID 444 wrote to memory of 300	444	WScript.exe	31
PID 444 wrote to memory of 300	444	WScript.exe	31
PID 444 wrote to memory of 300	444	WScript.exe	31
PID 444 wrote to memory of 300	444	WScript.exe	31
PID 300 wrote to memory of 2992	300	cmd.exe	33
PID 300 wrote to memory of 2992	300	cmd.exe	33
PID 300 wrote to memory of 2992	300	cmd.exe	33
PID 300 wrote to memory of 2992	300	cmd.exe	33
PID 2992 wrote to memory of 1312	2992	DllCommonsvc.exe	68
PID 2992 wrote to memory of 1312	2992	DllCommonsvc.exe	68
PID 2992 wrote to memory of 1312	2992	DllCommonsvc.exe	68
PID 2992 wrote to memory of 1696	2992	DllCommonsvc.exe	69
PID 2992 wrote to memory of 1696	2992	DllCommonsvc.exe	69
PID 2992 wrote to memory of 1696	2992	DllCommonsvc.exe	69
PID 2992 wrote to memory of 620	2992	DllCommonsvc.exe	70
PID 2992 wrote to memory of 620	2992	DllCommonsvc.exe	70
PID 2992 wrote to memory of 620	2992	DllCommonsvc.exe	70
PID 2992 wrote to memory of 568	2992	DllCommonsvc.exe	71
PID 2992 wrote to memory of 568	2992	DllCommonsvc.exe	71
PID 2992 wrote to memory of 568	2992	DllCommonsvc.exe	71
PID 2992 wrote to memory of 1992	2992	DllCommonsvc.exe	72
PID 2992 wrote to memory of 1992	2992	DllCommonsvc.exe	72
PID 2992 wrote to memory of 1992	2992	DllCommonsvc.exe	72
PID 2992 wrote to memory of 772	2992	DllCommonsvc.exe	74
PID 2992 wrote to memory of 772	2992	DllCommonsvc.exe	74
PID 2992 wrote to memory of 772	2992	DllCommonsvc.exe	74
PID 2992 wrote to memory of 1660	2992	DllCommonsvc.exe	75
PID 2992 wrote to memory of 1660	2992	DllCommonsvc.exe	75
PID 2992 wrote to memory of 1660	2992	DllCommonsvc.exe	75
PID 2992 wrote to memory of 1248	2992	DllCommonsvc.exe	76
PID 2992 wrote to memory of 1248	2992	DllCommonsvc.exe	76
PID 2992 wrote to memory of 1248	2992	DllCommonsvc.exe	76
PID 2992 wrote to memory of 880	2992	DllCommonsvc.exe	77
PID 2992 wrote to memory of 880	2992	DllCommonsvc.exe	77
PID 2992 wrote to memory of 880	2992	DllCommonsvc.exe	77
PID 2992 wrote to memory of 1288	2992	DllCommonsvc.exe	78
PID 2992 wrote to memory of 1288	2992	DllCommonsvc.exe	78
PID 2992 wrote to memory of 1288	2992	DllCommonsvc.exe	78
PID 2992 wrote to memory of 2116	2992	DllCommonsvc.exe	79
PID 2992 wrote to memory of 2116	2992	DllCommonsvc.exe	79
PID 2992 wrote to memory of 2116	2992	DllCommonsvc.exe	79
PID 2992 wrote to memory of 884	2992	DllCommonsvc.exe	80
PID 2992 wrote to memory of 884	2992	DllCommonsvc.exe	80
PID 2992 wrote to memory of 884	2992	DllCommonsvc.exe	80
PID 2992 wrote to memory of 2192	2992	DllCommonsvc.exe	92
PID 2992 wrote to memory of 2192	2992	DllCommonsvc.exe	92
PID 2992 wrote to memory of 2192	2992	DllCommonsvc.exe	92
PID 2192 wrote to memory of 2052	2192	cmd.exe	94
PID 2192 wrote to memory of 2052	2192	cmd.exe	94
PID 2192 wrote to memory of 2052	2192	cmd.exe	94
PID 2192 wrote to memory of 2376	2192	cmd.exe	95
PID 2192 wrote to memory of 2376	2192	cmd.exe	95
PID 2192 wrote to memory of 2376	2192	cmd.exe	95
PID 2376 wrote to memory of 2804	2376	conhost.exe	96
PID 2376 wrote to memory of 2804	2376	conhost.exe	96
PID 2376 wrote to memory of 2804	2376	conhost.exe	96
PID 2804 wrote to memory of 2816	2804	cmd.exe	98
PID 2804 wrote to memory of 2816	2804	cmd.exe	98
PID 2804 wrote to memory of 2816	2804	cmd.exe	98
PID 2804 wrote to memory of 2744	2804	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1dd55197686faec9166ce6ff1e7cd9a7950b95fdca49c20db273c0b6131c6cf4.exe
"C:\Users\Admin\AppData\Local\Temp\1dd55197686faec9166ce6ff1e7cd9a7950b95fdca49c20db273c0b6131c6cf4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:300
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DzBzDMqXuj.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2052
      - C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2816
        
        C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
        9⤵
        
        PID:1592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:712
        
        C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"
        11⤵
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2784
        
        C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat"
        13⤵
        
        PID:2796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2292
        
        C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"
        15⤵
        
        PID:2456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:964
        
        C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat"
        17⤵
        
        PID:1836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1980
        
        C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat"
        19⤵
        
        PID:2324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1668
        
        C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"
        21⤵
        
        PID:2928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:908
        
        C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat"
        23⤵
        
        PID:2240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:776
        
        C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
        25⤵
        
        PID:1284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\images\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\images\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\NetHood\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\NetHood\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59999a7852ebedeb511a7eaa628cba5b

SHA1
cc178b47be98cdd0757a7584f6d1eefbe5d579e9

SHA256
b80bb5c71762b9d608e976008dc44de00f52415b9fd1a843700b97fe543643be

SHA512
8e26625c058c766a91a6ad486c5d1c3a7dcc92b28b6555cd7da0544528f7e0f095860f6cd7535b8d6930962c388b6afca1f942765ab483c9618a15dc34dc0309

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
917d7f023e4662faa14a0749237e6f0a

SHA1
78c71a3c90fca49e8301856d88831731b39de3bc

SHA256
5b7ad78010f39fafb2796f5e7f9b7da25c39d9fcc99e6a39c65aa240b78d6707

SHA512
216aff121b402cfec484c67b517165412b9abbc1d9912a0b9974149298b2e8e97ac116e17d1571d8d9f61166b92c3adf838e4b32d645e2ae4ab0c9af5c13e80e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4b43cbc195974fc28704dbc16af7547

SHA1
61ac7759606c3c4533e721f5aa7fa4f7d1565cf0

SHA256
0f17f3c87575fbdfdba6e19e33f56b4d74d1d20fb77e01b6618f14191c995274

SHA512
3158da95651459355911af946cb0e03e5ffc59a57e9b1ce5b1b9e355292b706ab4b97df8b876662342a61c6b9ccee5ee169c61a8743384dcae3071b7599d6ae2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01041d56989d50f162ff80f608f4398c

SHA1
dbed42aa7577fc1dfddd92ababfe79d08e5da381

SHA256
066499da98e40a115d78b160ea657cfb50be4dda613ffbf66af35b4a7778bff6

SHA512
d78fd82dc9ae83d045b45f30d1e830c3883464310f930ff01b77f2321dc96a405bb491cadf179a67eb2d4e6129f9d7b124708aecae21c5f27fcd23222cc65a93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98a00dd631a57a0366b0edf091190ca1

SHA1
95941d2cd41ccf7d742644cba0347fe94fac8cb5

SHA256
9b12bf549152381d3bdec7434f7288f3bab46122492b50faeb5f18bd2738ae3e

SHA512
9e8f488c22821f155d2eaf42d1d03f06f1bb637ab902bf4542262b15bf2452f72095e5f8de626751fad0092be7cc431584f3b920cf67acbda517f6fd435fb104

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dbf3268b040f763ea38a406bf2950a4

SHA1
83e543291fc76b3bf71b390a0dc3dd52049f0f8b

SHA256
ffe9535b8afcfbe8316a23d3a5caede4b82c7acbf7f4049a338891bed9224b9a

SHA512
5752ef1d7391b799c61a82e35075240e39a23f39ab53ada74dfe6af8a627696977a934633d56020920228386c7e69d2a62d2188838110050afba1788fb244062

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fa8faf0bac2c5544db3a950c5f7a52c

SHA1
940bbed813220e6ae1f3d5b676957df31417f138

SHA256
9ff7b00782833c8527ff648608465be150ddb1bdf4b8f5f3c68abb1cbe006a0f

SHA512
878cd55520721b4f8356b72e070c9d52987eb5e6b90b56afc1153ad402cdbda250588e129785c58d9ad9d6a7048bb987e8e40a6eedeccc07a474e2891e70ba91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f79c0ea12206e1e44f234de15bf7206

SHA1
5571b3e43c4b6ca852d430f191d0d6cbc6fb5791

SHA256
9374d8b676b2534056a033ba54de5335d6587099a5a9373465f731c47347ee8a

SHA512
5f8e390c193a2444df464d235d0b2f0b235d7e3483bcd36545ca87e526e115253830b0d37586086155eb4ba3d74e07a9740a4d8b0babb3a75bddfebbf70ee8d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0c9c3b73f491376db5a128c360c3eb7

SHA1
09c10ce10b40530d53e864bcdf97b6e0720ec301

SHA256
5cba94a7340f33ecc0554024df6700e35e032797f77f0b85574dc8fd7f9f0cd7

SHA512
1b6723162ad401d15e7a7c9b666f3636b465bc90a5b82c93a3ec326b54e09b3e4ff9a91d9625f11fed0ad1c8c8cad4997da0b6a2fe0a618f30dc1b0be5dda224

Download Submit
C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat

Filesize
218B

MD5
c09d8b9f7fc560119956d2b6bbbc50ac

SHA1
31b2e63da6f28af528aebd2fbad0a7d69ea49660

SHA256
721ac7bac514b9a682e4ed1e212c8d6627c1eed94503e8b93c2c530738d356a2

SHA512
c90ecfd5b675ee58cfd0cca5fe7d0efb4523c152eddd1f653f530ab24bd8535ba79619e2f17e8062e590930eb9bca5599d6fd4093c21a00f5d3b22f10565bcad

Download Submit
C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat

Filesize
218B

MD5
bcbf733fc7510fc922e5e9bf79008b64

SHA1
a45f9f5a63bb8429628947e5cab762dd545a6f69

SHA256
a52d114fe4bc7ec9c7de6ceefab87aee68573e48a8605b5385b65446a4734525

SHA512
96dd1476e2c9932c0e984b973d633e512faf4ed282c180bf088861de7d267660af616c443eee05bf84cd5d9c8e5759671adbd0f1265ea0f6a98fa52df763216c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7042.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat

Filesize
218B

MD5
ec2bd9f9995952ed405e0578061e2e7f

SHA1
91f1ebf0afac8a472348b430d5db86320f4c3c5d

SHA256
9e7079e7e215ad70626a5980c2e113b41f7c84db3347e967b22da0a90b259b63

SHA512
0cbca44736fd3a6f96cad9748301a7026f97f10e6b0735ffdaf0e7cd8bf1ff45fe1edcb55594bebdefca05efe4c042a32ec7420b9baf84267b61d66d26109e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\DzBzDMqXuj.bat

Filesize
218B

MD5
22d376f40365cd6a26bb5d502b31e821

SHA1
1fd00ad6cf7ca4bbceacd827d503ad1a4e24f4d2

SHA256
a25031c54aee018fe61b163ffe0ef06d27ef3a2b64a79e4d5582261e18a60efe

SHA512
c926c9bc849cdc6096d0a53f4c38dd1afd6e54928dfb2770c722fee41279fc54ebf62d30cc3cb17cb39a162d8f644e76dbcb7bcf2ae392678399eef01f41fd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat

Filesize
218B

MD5
de8174e79ce09fa4c57993495410742a

SHA1
bd9f883515b111310d684476d84e0173e9abf493

SHA256
f7742ed690021d7dff0a5bc213b3e3b395aef3a3a0e4abd1505d1d9ffb972c5f

SHA512
7ac170552539ec32d3f41a1d5f86e2f777cf5f5d5c786ae56a7af26eeec5ce01bf023905abf6760f24e749ed460cc74602e6be96f56f1c668e3c137f0b691106

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7064.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat

Filesize
218B

MD5
b6ace5454271830633fa0ba2057678e0

SHA1
caa1c8013d9a8637d603af535cdce15fdf711d73

SHA256
c7668ceae8871a6905d46c01ace88029f0be76643106f4cbf9ee5b9c67831a1d

SHA512
0ea8273705528726c1e97dd63da9509fb9769ca9d9931ac8f71ebadae686146c30861229ff1e3bc0fe974aacf86fdc966c4f9fa4c007c416a8e437452a2fd412

Download Submit
C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat

Filesize
218B

MD5
1b5dee09b0d85ed3fe4a20797be8a17d

SHA1
abe1d2d6759dcea99073f138bc1291b3a46c41f7

SHA256
50ca803635623b070fdd78b3af75d727be3682540abc8459c2d25520ea7a163e

SHA512
092652fb43708ff04c99a21a81b73f11d017f8cf4cd2304cf8c7337d25ca8dfc3816fd478e5af067b3d1c3055bd6257141ec4707222d6788cf38b9e0d936bd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

Filesize
218B

MD5
b508dd0e86536179244e1a8ca32966c3

SHA1
a0c998ff62849f4c60ad4f83604c23f832a41757

SHA256
1d35d1ae5795f32966d1ac0a61e2a841e7de47dfaa7b91e10f9c54b57548449f

SHA512
22dde53159a43228c7e1736e0bdde584361d76faa5b7bd0e77c7181d8b2dccdabc65562cb010c9acee1627f8ee7461fc8f071596e99b7d1bc26098f2c4b75958

Download Submit
C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat

Filesize
218B

MD5
b61a005d16cc75bda98971ef36eb2286

SHA1
fb9f08dcc0c7ca5125286fe91333f039d12fb69c

SHA256
367ccc45a59fc43ab8de0ef1ebfc669fb97627bcac5e37c2cb4c42960d2d814c

SHA512
f28d0f176cfe0fa9ff0f50efd7ec55d0cbcc9924c9bcec9a7025690eba2331874fafedd4432a4cd96c06d41eebe9e2fa2c63b4d2f22061ecd287dd48352e8989

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat

Filesize
218B

MD5
55c15754cf79a763f831307b484a52a9

SHA1
4f1e807707f83600b4862587a87fa7a5720efe69

SHA256
869c7b106c768ff6067fa61722290f577954f6d152938039b8bd8ca53b35610d

SHA512
a7ab000e7297d91e95d604785ab14cbcc65bf291671745537899271797f434fefd9b6aeb4b8d0d31de8f6b13f6c79bfa5605f4f72f12b631069746ccdd534cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat

Filesize
218B

MD5
22fb6f1af7787da3c9b6c024fbf9f6c6

SHA1
29d9b026624569f69a3b6dfae83cc5e29a6078a3

SHA256
5640622bf3e2a8d153144691dc3a58cbc41e814ed5c5456647e4d7173c321add

SHA512
5156810a1510f4a22429fd92a825705efeacf7a1a2a5099bc9a8e1eea96e006fa21e04b628c789ecd8dd9e2beb5609c87bf851f1eede8e72594b66d0e0b63f93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3FIWY0CA75CM9L8RYZ60.temp

Filesize
7KB

MD5
ed33b8c7b5d72bc7ea3f031280208947

SHA1
0f8ddfb9c6316f9598d1e455a7ed3eacd3c4b418

SHA256
c3459a975b3cee3a54d1bbf30164e92b6353c7cd5edc0ffe6975baab2859fb10

SHA512
94cedd27e27dfe2b4fe9d4248569301afb1803193e894323bf181aea69df26767237448984bbd20776780137bc196780b1033f3a1215fede3f9d773342b6ae58

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/884-55-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/884-223-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/884-70-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/1272-642-0x0000000001020000-0x0000000001130000-memory.dmp

Filesize
1.1MB

Download
memory/1756-523-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/1832-463-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/2328-343-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2376-105-0x0000000000E90000-0x0000000000FA0000-memory.dmp

Filesize
1.1MB

Download
memory/2712-283-0x0000000001340000-0x0000000001450000-memory.dmp

Filesize
1.1MB

Download
memory/2880-403-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/2992-17-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2992-16-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2992-15-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/2992-14-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2992-13-0x0000000000D00000-0x0000000000E10000-memory.dmp

Filesize
1.1MB

Download