dcrat | 52edc5786fdb818babaf34144dd453aad1931f18adaf030f959c3c84ec115fdd

Analysis

max time kernel
144s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52edc5786fdb818babaf34144dd453aad1931f18adaf030f959c3c84ec115fdd.exe
Size

1.3MB
MD5

d87af6f862594496806f76c74fcc2b3d
SHA1

03f4437116bfcaecfdbea91c8f03f206fed98d00
SHA256

52edc5786fdb818babaf34144dd453aad1931f18adaf030f959c3c84ec115fdd
SHA512

8e20782c863ea6921c770adb45be47fb77d00565bc2e42c9b095f9bcccfcf7f47af203bf8ea2b49f5a0a0a31914a13e1413b157c2c0610ddb49eefd1c805cbd0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	3012	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000173da-9.dat	dcrat
behavioral1/memory/2872-13-0x0000000000CD0000-0x0000000000DE0000-memory.dmp	dcrat
behavioral1/memory/1512-69-0x0000000000E00000-0x0000000000F10000-memory.dmp	dcrat
behavioral1/memory/264-173-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat
behavioral1/memory/2132-292-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/1708-352-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/1732-531-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat
behavioral1/memory/2844-591-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/1620-651-0x0000000000AA0000-0x0000000000BB0000-memory.dmp	dcrat
behavioral1/memory/2204-711-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1596	powershell.exe
2348	powershell.exe
3044	powershell.exe
2044	powershell.exe
1524	powershell.exe
1336	powershell.exe
700	powershell.exe
728	powershell.exe
3052	powershell.exe
1752	powershell.exe
1564	powershell.exe
916	powershell.exe
2188	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2872	DllCommonsvc.exe
1512	DllCommonsvc.exe
264	DllCommonsvc.exe
2408	DllCommonsvc.exe
2132	DllCommonsvc.exe
1708	DllCommonsvc.exe
2152	DllCommonsvc.exe
1360	DllCommonsvc.exe
1732	DllCommonsvc.exe
2844	DllCommonsvc.exe
1620	DllCommonsvc.exe
2204	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2544	cmd.exe
2544	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com
13	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
16	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\Installer\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Installer\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52edc5786fdb818babaf34144dd453aad1931f18adaf030f959c3c84ec115fdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2332	schtasks.exe
1856	schtasks.exe
1960	schtasks.exe
1600	schtasks.exe
2008	schtasks.exe
2948	schtasks.exe
2600	schtasks.exe
2300	schtasks.exe
2884	schtasks.exe
2000	schtasks.exe
1768	schtasks.exe
1936	schtasks.exe
1248	schtasks.exe
776	schtasks.exe
2712	schtasks.exe
1484	schtasks.exe
2032	schtasks.exe
3028	schtasks.exe
2852	schtasks.exe
680	schtasks.exe
2984	schtasks.exe
1732	schtasks.exe
784	schtasks.exe
2580	schtasks.exe
296	schtasks.exe
2324	schtasks.exe
1916	schtasks.exe
2844	schtasks.exe
2632	schtasks.exe
2264	schtasks.exe
2688	schtasks.exe
2528	schtasks.exe
2064	schtasks.exe
272	schtasks.exe
848	schtasks.exe
2248	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2872	DllCommonsvc.exe
2872	DllCommonsvc.exe
2872	DllCommonsvc.exe
1336	powershell.exe
1524	powershell.exe
728	powershell.exe
700	powershell.exe
1752	powershell.exe
3044	powershell.exe
2348	powershell.exe
1596	powershell.exe
2188	powershell.exe
3052	powershell.exe
1564	powershell.exe
1512	DllCommonsvc.exe
2044	powershell.exe
916	powershell.exe
264	DllCommonsvc.exe
2408	DllCommonsvc.exe
2132	DllCommonsvc.exe
1708	DllCommonsvc.exe
2152	DllCommonsvc.exe
1360	DllCommonsvc.exe
1732	DllCommonsvc.exe
2844	DllCommonsvc.exe
1620	DllCommonsvc.exe
2204	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	DllCommonsvc.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	1512	DllCommonsvc.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	264	DllCommonsvc.exe
Token: SeDebugPrivilege	2408	DllCommonsvc.exe
Token: SeDebugPrivilege	2132	DllCommonsvc.exe
Token: SeDebugPrivilege	1708	DllCommonsvc.exe
Token: SeDebugPrivilege	2152	DllCommonsvc.exe
Token: SeDebugPrivilege	1360	DllCommonsvc.exe
Token: SeDebugPrivilege	1732	DllCommonsvc.exe
Token: SeDebugPrivilege	2844	DllCommonsvc.exe
Token: SeDebugPrivilege	1620	DllCommonsvc.exe
Token: SeDebugPrivilege	2204	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1724	1684	52edc5786fdb818babaf34144dd453aad1931f18adaf030f959c3c84ec115fdd.exe	30
PID 1684 wrote to memory of 1724	1684	52edc5786fdb818babaf34144dd453aad1931f18adaf030f959c3c84ec115fdd.exe	30
PID 1684 wrote to memory of 1724	1684	52edc5786fdb818babaf34144dd453aad1931f18adaf030f959c3c84ec115fdd.exe	30
PID 1684 wrote to memory of 1724	1684	52edc5786fdb818babaf34144dd453aad1931f18adaf030f959c3c84ec115fdd.exe	30
PID 1724 wrote to memory of 2544	1724	WScript.exe	31
PID 1724 wrote to memory of 2544	1724	WScript.exe	31
PID 1724 wrote to memory of 2544	1724	WScript.exe	31
PID 1724 wrote to memory of 2544	1724	WScript.exe	31
PID 2544 wrote to memory of 2872	2544	cmd.exe	33
PID 2544 wrote to memory of 2872	2544	cmd.exe	33
PID 2544 wrote to memory of 2872	2544	cmd.exe	33
PID 2544 wrote to memory of 2872	2544	cmd.exe	33
PID 2872 wrote to memory of 1524	2872	DllCommonsvc.exe	71
PID 2872 wrote to memory of 1524	2872	DllCommonsvc.exe	71
PID 2872 wrote to memory of 1524	2872	DllCommonsvc.exe	71
PID 2872 wrote to memory of 1336	2872	DllCommonsvc.exe	72
PID 2872 wrote to memory of 1336	2872	DllCommonsvc.exe	72
PID 2872 wrote to memory of 1336	2872	DllCommonsvc.exe	72
PID 2872 wrote to memory of 1564	2872	DllCommonsvc.exe	73
PID 2872 wrote to memory of 1564	2872	DllCommonsvc.exe	73
PID 2872 wrote to memory of 1564	2872	DllCommonsvc.exe	73
PID 2872 wrote to memory of 1596	2872	DllCommonsvc.exe	76
PID 2872 wrote to memory of 1596	2872	DllCommonsvc.exe	76
PID 2872 wrote to memory of 1596	2872	DllCommonsvc.exe	76
PID 2872 wrote to memory of 700	2872	DllCommonsvc.exe	78
PID 2872 wrote to memory of 700	2872	DllCommonsvc.exe	78
PID 2872 wrote to memory of 700	2872	DllCommonsvc.exe	78
PID 2872 wrote to memory of 916	2872	DllCommonsvc.exe	79
PID 2872 wrote to memory of 916	2872	DllCommonsvc.exe	79
PID 2872 wrote to memory of 916	2872	DllCommonsvc.exe	79
PID 2872 wrote to memory of 2188	2872	DllCommonsvc.exe	80
PID 2872 wrote to memory of 2188	2872	DllCommonsvc.exe	80
PID 2872 wrote to memory of 2188	2872	DllCommonsvc.exe	80
PID 2872 wrote to memory of 2348	2872	DllCommonsvc.exe	81
PID 2872 wrote to memory of 2348	2872	DllCommonsvc.exe	81
PID 2872 wrote to memory of 2348	2872	DllCommonsvc.exe	81
PID 2872 wrote to memory of 728	2872	DllCommonsvc.exe	84
PID 2872 wrote to memory of 728	2872	DllCommonsvc.exe	84
PID 2872 wrote to memory of 728	2872	DllCommonsvc.exe	84
PID 2872 wrote to memory of 3052	2872	DllCommonsvc.exe	86
PID 2872 wrote to memory of 3052	2872	DllCommonsvc.exe	86
PID 2872 wrote to memory of 3052	2872	DllCommonsvc.exe	86
PID 2872 wrote to memory of 3044	2872	DllCommonsvc.exe	88
PID 2872 wrote to memory of 3044	2872	DllCommonsvc.exe	88
PID 2872 wrote to memory of 3044	2872	DllCommonsvc.exe	88
PID 2872 wrote to memory of 1752	2872	DllCommonsvc.exe	90
PID 2872 wrote to memory of 1752	2872	DllCommonsvc.exe	90
PID 2872 wrote to memory of 1752	2872	DllCommonsvc.exe	90
PID 2872 wrote to memory of 2044	2872	DllCommonsvc.exe	91
PID 2872 wrote to memory of 2044	2872	DllCommonsvc.exe	91
PID 2872 wrote to memory of 2044	2872	DllCommonsvc.exe	91
PID 2872 wrote to memory of 1512	2872	DllCommonsvc.exe	96
PID 2872 wrote to memory of 1512	2872	DllCommonsvc.exe	96
PID 2872 wrote to memory of 1512	2872	DllCommonsvc.exe	96
PID 1512 wrote to memory of 2004	1512	DllCommonsvc.exe	99
PID 1512 wrote to memory of 2004	1512	DllCommonsvc.exe	99
PID 1512 wrote to memory of 2004	1512	DllCommonsvc.exe	99
PID 2004 wrote to memory of 2300	2004	cmd.exe	101
PID 2004 wrote to memory of 2300	2004	cmd.exe	101
PID 2004 wrote to memory of 2300	2004	cmd.exe	101
PID 2004 wrote to memory of 264	2004	cmd.exe	102
PID 2004 wrote to memory of 264	2004	cmd.exe	102
PID 2004 wrote to memory of 264	2004	cmd.exe	102
PID 264 wrote to memory of 2256	264	DllCommonsvc.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\52edc5786fdb818babaf34144dd453aad1931f18adaf030f959c3c84ec115fdd.exe
"C:\Users\Admin\AppData\Local\Temp\52edc5786fdb818babaf34144dd453aad1931f18adaf030f959c3c84ec115fdd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\Windows\Installer\DllCommonsvc.exe
        
        "C:\Windows\Installer\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2300
        
        C:\Windows\Installer\DllCommonsvc.exe
        
        "C:\Windows\Installer\DllCommonsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
        8⤵
        
        PID:2256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1944
        
        C:\Windows\Installer\DllCommonsvc.exe
        
        "C:\Windows\Installer\DllCommonsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"
        10⤵
        
        PID:2860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2176
        
        C:\Windows\Installer\DllCommonsvc.exe
        
        "C:\Windows\Installer\DllCommonsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat"
        12⤵
        
        PID:1104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:588
        
        C:\Windows\Installer\DllCommonsvc.exe
        
        "C:\Windows\Installer\DllCommonsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"
        14⤵
        
        PID:1336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2776
        
        C:\Windows\Installer\DllCommonsvc.exe
        
        "C:\Windows\Installer\DllCommonsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat"
        16⤵
        
        PID:1952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2700
        
        C:\Windows\Installer\DllCommonsvc.exe
        
        "C:\Windows\Installer\DllCommonsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat"
        18⤵
        
        PID:1792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2456
        
        C:\Windows\Installer\DllCommonsvc.exe
        
        "C:\Windows\Installer\DllCommonsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"
        20⤵
        
        PID:1280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2912
        
        C:\Windows\Installer\DllCommonsvc.exe
        
        "C:\Windows\Installer\DllCommonsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat"
        22⤵
        
        PID:2976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1756
        
        C:\Windows\Installer\DllCommonsvc.exe
        
        "C:\Windows\Installer\DllCommonsvc.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat"
        24⤵
        
        PID:2376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2488
        
        C:\Windows\Installer\DllCommonsvc.exe
        
        "C:\Windows\Installer\DllCommonsvc.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Installer\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4a69912c216cefd2c72a4c1074ce460

SHA1
3d01580d7d2628e32b31383d7b3cd1ece0837d6f

SHA256
1b5739e04ceab626fb64b5415c57bdf45212f70acbce16bdf1cb496d92eed2a5

SHA512
3a8d4a2e53dbe9f0b36120dcfac94020cb4ede37bf781f43a741b08caf8e4b5990f7e35760236510e7aac930fc474a76504b2519540194c09277300fac0c680a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76d4973ffa3a651d168f8b53eb419f71

SHA1
7e721d65b328c69173bc319ac2d742744b77e6ad

SHA256
d42309b3fc13aba3791c3d7bdbbe2ae8f7ced7f393a68c843d096b2169311c03

SHA512
4c73ebf7214a564c17d29239000c275ddbffea55daa78b6afff113a96f727639bcc189afc2029f4af0da7a97f7dd1faaf12ec31376b5d3323fe85b45a86e6e7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83e47628c8048bdd0bf992d71d72c1cd

SHA1
a1946f19eccd2a9055955c7ed3a4cdc3ec478b22

SHA256
168d1d0b906f53425153fffa0bb56d79eafde8c948eee428b4618da3d1537ca2

SHA512
808fcb1548df5e618746ac773eba3547b0235a4e8e4fe19ab45040a4cb7c0f259a117188c873593ebd277f7f36a4420c06263f5a3e6e2f08b8aed351afb81aee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3651244355c2cdd13416178c7642d7a2

SHA1
46ced2745467ce96a4c4f7b3e93d2c2c5d07957b

SHA256
dec5e0507fe0da4c644ab3bfdc066e83fa0f21f2e8f112e728814213b0b182d0

SHA512
507bb6a460d2208410ebe281eebe50f9b834d20fb2d19504bd41d521b8f44a8218e997be160942b38c2069d48d9824986523aacca06cda42b52d42df9b300f9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10e93700688fdc9cc8d7c572634c337d

SHA1
7888547b1aa7f607623f6c154e7c75b97971894a

SHA256
87f2ba9681362f63080f16095e259b1a5c3eb028000f425c7655a8f348daeb84

SHA512
d0e0aa2dc6461a8bff0d2ecde4c6b970086ef477381e107a69fafe591b03ad6dae7c447df9508d4c5332258fe432a744b1140fef0e2e811c7e678d33f7bf5557

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97e8ef35a666f0a8c6f8aff5af11b20c

SHA1
910272fa1e31338dee791371618b36f6866e2b0d

SHA256
b3e2c2ebdeadd625edca9fc0f254b3e3a529d48eda5adce1b331b4c42c8a7960

SHA512
247ddc28e7a8afb1bc08e2a21f6a40ba394c65257bfd1a9c66bc1a9a87e082349c3d160ba6a395162a31dcf97db88123979cb54aaa08589af85c910b496d69d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
341db7b3b863f04c345a4268ce18e4f3

SHA1
7646841373ebb8d4bf365d908ea1dc44cbeb3a60

SHA256
a5d156fbd8d3f8ca43eb7957464ef2abd5b3476733bcd6e47c69b5671aa587fd

SHA512
435df9ba2342f77da5eef908e8e6a74107d99b25d95ccc3b86be5a2ffe42f2df05ee474f8f8b8524617764fe43e9f14d26aba271bcdfaa3f15a0fa5e0dc9886e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
070fff2792caee15fc11ee14513c6248

SHA1
cc4996fabbb431da963498585b23f13138b14182

SHA256
0a909c9166a6087854c477792e21c5cad582faa8e6a0d88a1e91f43dfffa5f9c

SHA512
708bd0e59f1e5a34db610ea4886763a84b7502dbaf0070172bc7b6c2b2401198a568062848c763210de333aa00e75600c049308e6dd11d6dc92d98d65a0b9a22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df3b4c065b2980ebedd613ba4b28d2d4

SHA1
2229e0124123cc38f1b71ebb737b7fa668f98ecf

SHA256
3cdec08e8be3fed74e1ae1fbdf3db70194080bd42f4221bcba12678d068bb4fb

SHA512
2fb62cc0507d29b88847a02153527bd7a0c9138fb8c571aaba101ce9088914b90bc919b8831af7a316de9980a38e6932e57e662a1009105a1a0331a18b630aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat

Filesize
202B

MD5
e4d54354e51d42136849ea5d7755e816

SHA1
0d807b77a754c22714a01fc2bab2560cf30117a5

SHA256
d0511d71c8d22cc8109bce0131b7e19479bd54b8cc13d1e8757a5bde6fd1a0bb

SHA512
fb84084a33ae06f8e970f3d136e8031813166f29bd5c9b3d12248c756e48bf8cc44f5ae010e37ecdad5ebb24e423978042c68b84a259d97e4c37627690e4e481

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD145.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat

Filesize
202B

MD5
5b7cecb6cdcc804ae3a05a7cd9fefce9

SHA1
ad06c16d7a31d62301e1ab2cda932d67a94106a9

SHA256
8e13394d9afe7695733680ae24585be0f3c9db57e8bba470e9f125282da5b5fb

SHA512
ac61b24dc1093cc8da3547dbe192746bb5bd8de82bf0c298f69f64a5613a2808a6f8a723659fb88dc2475661275b4ac9a4899c2900301ad762b02ef26c897e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat

Filesize
202B

MD5
8794662cbb9685f79bf5794b25d41fcc

SHA1
8efba4ddda7d32e19bd6ffe0a07f96da7f0145f4

SHA256
520b549d5e7f2965a5d1ce6046b815ded4ed89b9a5812efbc7faf916c325d087

SHA512
065c4b070718845fe0e4b9d38a404fcb604ff60395927e2aa17a27ea90114a242b413e9887e46686325464cc497e5788f668d96ed56166044f1403067ce59aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD158.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat

Filesize
202B

MD5
0f1494cca17062ac3dd3d76bc7d38a6b

SHA1
cb498bae6ca563b112809025ad1887685ef57a39

SHA256
97d8a95ae303f78040769ee0484e68b1c5d3ab7189e730836d4d25a4a05a627e

SHA512
777781f0dda68c1f307b2dbafa2fce0ad6779defbd629297c0d1a748742030bdcaca4a8975904b992f7ce7abfb4124858ee9c2811db5c7b523cf8c876cd56f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat

Filesize
202B

MD5
b3f859d3f3f0d3951d880697f92e5cec

SHA1
023665ea2cabedf752c64f398dc05004e8bb31de

SHA256
0a807fec13c113595197b9086c0018eb5df9a7430ea407617b89b15e27663cec

SHA512
11c12bb54e329903c6e9a4c3ba8400153fe842652f3ef47152b747e020ef285df9d4f3cd87059878dc58d80314e45dec07e793371f589f90db45307119de362f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat

Filesize
202B

MD5
0a66b877266e098806275544c1cdf17b

SHA1
aee93fa7be364df9798a5758421e2944031ed34d

SHA256
087f5be69cddec028c912c9d31a8fca522ddf6948137502254bf1c075b69d148

SHA512
b3c9e6c99b03af32e2079ddfec55aa0a3de5db2659885f6ef1136e9f27fee137bce1adb9d7b3f52e1b52c6bc126f9162e8c0bba39b7f7755176b21ac0ef0310e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat

Filesize
202B

MD5
557e92d26266b2144c1e531ad395fee3

SHA1
7eeadc81341e1e897678349ad5f5948190a2db83

SHA256
410c0c4523d072da2bf8573cba9d5a477aa972ec8c08eeaf46ca927568999599

SHA512
2173702badcf326fb0f51c67ca2c8bab7c9b9b1f24d6ad5754eb45db72f672a08fa91eadea40819d1e794620fff8e6a1e166729bb2d84ee0a4947acac7eb1946

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat

Filesize
202B

MD5
fa463bae5b9d5d2c6f6aae4cf652c7ff

SHA1
ca3a696785f16b1727ecef81c85676dab7ad3f24

SHA256
bdb468a15115db8db3b77e45aaaa9de3e9ba2701e12489b2f3bbf2de6f97a535

SHA512
2d2051ba424dbf0e9029059d78d56a6cb73628bdae5cd39169b74c9650293d0dc2c7b8da877b83f68a88f45c1ca992b9410bb1154e2b0bb08bdb3899594206e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat

Filesize
202B

MD5
1c5f56668bdcb7d2a19f7f6c1dd72232

SHA1
e87540c6e54d2e90f1c289352faa774261ccfe6f

SHA256
b7e01f6f95d76821cbd470dd59a3958c81d0a6970cd5caa1a4d4d9fda0bd92d7

SHA512
d617d59290ec5b26a8f17020e181e33446e44e30901f39353e52d51a1107d943ab943553689ef5b00203ec61134ed771fbcf571d20c1a028975a403f80f44ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

Filesize
202B

MD5
650b7d44bb95e4cdf82c5fa3c4f8fcdc

SHA1
255e91fa7ad41b66e49fcc47c7642f4a1e562e0c

SHA256
ece2e0905741c4e868891db9e62163a494e4042836a125ed36235a18b914802c

SHA512
c8bb2cab5c9698bbf2ad2a9476d36d19f669503afb2ea436cbdbd0fc6432ba55ffe0c9a7c6edc4c44b5e6c4ecc7fd1f23e1b0a80e8811528f4f9f0559ac2e6a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3d874297d2aaf5a431eb5b09b3ac86ba

SHA1
1298fbcbdc8c297cc95ee19af17cae17a48c8ffd

SHA256
3cd7848fb4b1c0a79239930526b0fa9ee5aa5c69ef9429a9ae8b9c0643ab2bbe

SHA512
09e12adf6f302332d01043f12fb4a53dfa6ff5fbc6565a10602149b6b07bc69cea3ae1b58c1a93a33f4cb1a30e10be8fffcafb17e36ba5091f53ee90d18ff830

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/264-173-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/1336-58-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1336-59-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/1360-471-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/1512-69-0x0000000000E00000-0x0000000000F10000-memory.dmp

Filesize
1.1MB

Download
memory/1620-651-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/1708-352-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/1732-531-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download
memory/2132-292-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/2204-711-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/2844-591-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/2872-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2872-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2872-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2872-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2872-13-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

Filesize
1.1MB

Download