dcrat | 8dc15de393b22b5a99c2d01edf1e49de4b4a7f0e01af144e15a7ff984ef650fa

Analysis

max time kernel
149s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8dc15de393b22b5a99c2d01edf1e49de4b4a7f0e01af144e15a7ff984ef650fa.exe
Size

1.3MB
MD5

e35962b2f2381615f3dac729cb26c09c
SHA1

5eee5e9f9b7bc9e388e7627b134c4eb77b4eeb76
SHA256

8dc15de393b22b5a99c2d01edf1e49de4b4a7f0e01af144e15a7ff984ef650fa
SHA512

f0f461c60c858d16f8d222d877cc7c2fdb4051d86f13faead03956227fd61244528dc662b1c31c6d79285038f54a2f201fa0d9eff7f8e17f52477caae1c7700a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	3040	schtasks.exe	35

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000171a8-9.dat	dcrat
behavioral1/memory/2752-13-0x0000000000E80000-0x0000000000F90000-memory.dmp	dcrat
behavioral1/memory/2084-164-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/1580-225-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/1988-285-0x00000000008F0000-0x0000000000A00000-memory.dmp	dcrat
behavioral1/memory/1936-345-0x0000000000B20000-0x0000000000C30000-memory.dmp	dcrat
behavioral1/memory/2224-405-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/memory/2196-465-0x0000000001080000-0x0000000001190000-memory.dmp	dcrat
behavioral1/memory/2564-525-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat
behavioral1/memory/1920-585-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/1088-645-0x0000000000BE0000-0x0000000000CF0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
772	powershell.exe
2452	powershell.exe
900	powershell.exe
880	powershell.exe
2448	powershell.exe
2588	powershell.exe
956	powershell.exe
1816	powershell.exe
2196	powershell.exe
2352	powershell.exe
2456	powershell.exe
2172	powershell.exe
1972	powershell.exe
2356	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2752	DllCommonsvc.exe
1936	wininit.exe
2084	wininit.exe
1580	wininit.exe
1988	wininit.exe
1936	wininit.exe
2224	wininit.exe
2196	wininit.exe
2564	wininit.exe
1920	wininit.exe
1088	wininit.exe
2876	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2460	cmd.exe
2460	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
28	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\0a1fd5f707cd16	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\ERRORREP\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\ERRORREP\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8dc15de393b22b5a99c2d01edf1e49de4b4a7f0e01af144e15a7ff984ef650fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1068	schtasks.exe
2956	schtasks.exe
1032	schtasks.exe
1592	schtasks.exe
612	schtasks.exe
2724	schtasks.exe
2164	schtasks.exe
1904	schtasks.exe
2080	schtasks.exe
308	schtasks.exe
2516	schtasks.exe
1808	schtasks.exe
2708	schtasks.exe
796	schtasks.exe
1852	schtasks.exe
2256	schtasks.exe
2036	schtasks.exe
2632	schtasks.exe
2316	schtasks.exe
1492	schtasks.exe
1812	schtasks.exe
2684	schtasks.exe
992	schtasks.exe
2596	schtasks.exe
2376	schtasks.exe
1988	schtasks.exe
2088	schtasks.exe
3068	schtasks.exe
1340	schtasks.exe
2960	schtasks.exe
2796	schtasks.exe
2844	schtasks.exe
2064	schtasks.exe
2336	schtasks.exe
1924	schtasks.exe
2580	schtasks.exe
2812	schtasks.exe
2992	schtasks.exe
1224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
880	powershell.exe
772	powershell.exe
2172	powershell.exe
2588	powershell.exe
1936	wininit.exe
2356	powershell.exe
1972	powershell.exe
2196	powershell.exe
2448	powershell.exe
956	powershell.exe
2456	powershell.exe
2452	powershell.exe
1816	powershell.exe
900	powershell.exe
2352	powershell.exe
2084	wininit.exe
1580	wininit.exe
1988	wininit.exe
1936	wininit.exe
2224	wininit.exe
2196	wininit.exe
2564	wininit.exe
1920	wininit.exe
1088	wininit.exe
2876	wininit.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	DllCommonsvc.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	1936	wininit.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2084	wininit.exe
Token: SeDebugPrivilege	1580	wininit.exe
Token: SeDebugPrivilege	1988	wininit.exe
Token: SeDebugPrivilege	1936	wininit.exe
Token: SeDebugPrivilege	2224	wininit.exe
Token: SeDebugPrivilege	2196	wininit.exe
Token: SeDebugPrivilege	2564	wininit.exe
Token: SeDebugPrivilege	1920	wininit.exe
Token: SeDebugPrivilege	1088	wininit.exe
Token: SeDebugPrivilege	2876	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 2004	860	JaffaCakes118_8dc15de393b22b5a99c2d01edf1e49de4b4a7f0e01af144e15a7ff984ef650fa.exe	31
PID 860 wrote to memory of 2004	860	JaffaCakes118_8dc15de393b22b5a99c2d01edf1e49de4b4a7f0e01af144e15a7ff984ef650fa.exe	31
PID 860 wrote to memory of 2004	860	JaffaCakes118_8dc15de393b22b5a99c2d01edf1e49de4b4a7f0e01af144e15a7ff984ef650fa.exe	31
PID 860 wrote to memory of 2004	860	JaffaCakes118_8dc15de393b22b5a99c2d01edf1e49de4b4a7f0e01af144e15a7ff984ef650fa.exe	31
PID 2004 wrote to memory of 2460	2004	WScript.exe	32
PID 2004 wrote to memory of 2460	2004	WScript.exe	32
PID 2004 wrote to memory of 2460	2004	WScript.exe	32
PID 2004 wrote to memory of 2460	2004	WScript.exe	32
PID 2460 wrote to memory of 2752	2460	cmd.exe	34
PID 2460 wrote to memory of 2752	2460	cmd.exe	34
PID 2460 wrote to memory of 2752	2460	cmd.exe	34
PID 2460 wrote to memory of 2752	2460	cmd.exe	34
PID 2752 wrote to memory of 900	2752	DllCommonsvc.exe	75
PID 2752 wrote to memory of 900	2752	DllCommonsvc.exe	75
PID 2752 wrote to memory of 900	2752	DllCommonsvc.exe	75
PID 2752 wrote to memory of 880	2752	DllCommonsvc.exe	76
PID 2752 wrote to memory of 880	2752	DllCommonsvc.exe	76
PID 2752 wrote to memory of 880	2752	DllCommonsvc.exe	76
PID 2752 wrote to memory of 772	2752	DllCommonsvc.exe	77
PID 2752 wrote to memory of 772	2752	DllCommonsvc.exe	77
PID 2752 wrote to memory of 772	2752	DllCommonsvc.exe	77
PID 2752 wrote to memory of 956	2752	DllCommonsvc.exe	78
PID 2752 wrote to memory of 956	2752	DllCommonsvc.exe	78
PID 2752 wrote to memory of 956	2752	DllCommonsvc.exe	78
PID 2752 wrote to memory of 2456	2752	DllCommonsvc.exe	79
PID 2752 wrote to memory of 2456	2752	DllCommonsvc.exe	79
PID 2752 wrote to memory of 2456	2752	DllCommonsvc.exe	79
PID 2752 wrote to memory of 2448	2752	DllCommonsvc.exe	80
PID 2752 wrote to memory of 2448	2752	DllCommonsvc.exe	80
PID 2752 wrote to memory of 2448	2752	DllCommonsvc.exe	80
PID 2752 wrote to memory of 2172	2752	DllCommonsvc.exe	81
PID 2752 wrote to memory of 2172	2752	DllCommonsvc.exe	81
PID 2752 wrote to memory of 2172	2752	DllCommonsvc.exe	81
PID 2752 wrote to memory of 1816	2752	DllCommonsvc.exe	82
PID 2752 wrote to memory of 1816	2752	DllCommonsvc.exe	82
PID 2752 wrote to memory of 1816	2752	DllCommonsvc.exe	82
PID 2752 wrote to memory of 2588	2752	DllCommonsvc.exe	83
PID 2752 wrote to memory of 2588	2752	DllCommonsvc.exe	83
PID 2752 wrote to memory of 2588	2752	DllCommonsvc.exe	83
PID 2752 wrote to memory of 1972	2752	DllCommonsvc.exe	84
PID 2752 wrote to memory of 1972	2752	DllCommonsvc.exe	84
PID 2752 wrote to memory of 1972	2752	DllCommonsvc.exe	84
PID 2752 wrote to memory of 2196	2752	DllCommonsvc.exe	85
PID 2752 wrote to memory of 2196	2752	DllCommonsvc.exe	85
PID 2752 wrote to memory of 2196	2752	DllCommonsvc.exe	85
PID 2752 wrote to memory of 2452	2752	DllCommonsvc.exe	86
PID 2752 wrote to memory of 2452	2752	DllCommonsvc.exe	86
PID 2752 wrote to memory of 2452	2752	DllCommonsvc.exe	86
PID 2752 wrote to memory of 2352	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 2352	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 2352	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 2356	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 2356	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 2356	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 1936	2752	DllCommonsvc.exe	96
PID 2752 wrote to memory of 1936	2752	DllCommonsvc.exe	96
PID 2752 wrote to memory of 1936	2752	DllCommonsvc.exe	96
PID 1936 wrote to memory of 1132	1936	wininit.exe	104
PID 1936 wrote to memory of 1132	1936	wininit.exe	104
PID 1936 wrote to memory of 1132	1936	wininit.exe	104
PID 1132 wrote to memory of 1516	1132	cmd.exe	106
PID 1132 wrote to memory of 1516	1132	cmd.exe	106
PID 1132 wrote to memory of 1516	1132	cmd.exe	106
PID 1132 wrote to memory of 2084	1132	cmd.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8dc15de393b22b5a99c2d01edf1e49de4b4a7f0e01af144e15a7ff984ef650fa.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8dc15de393b22b5a99c2d01edf1e49de4b4a7f0e01af144e15a7ff984ef650fa.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\9.0\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1516
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat"
        8⤵
        
        PID:2600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2588
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat"
        10⤵
        
        PID:1272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2396
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"
        12⤵
        
        PID:2656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2792
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat"
        14⤵
        
        PID:2612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1928
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat"
        16⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2784
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"
        18⤵
        
        PID:1372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2236
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
        20⤵
        
        PID:1588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2336
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"
        22⤵
        
        PID:844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2688
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat"
        24⤵
        
        PID:3048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2636
        
        C:\Users\Default User\wininit.exe
        
        "C:\Users\Default User\wininit.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f776768ec5d89b47c3fe4c48cb93cbaa

SHA1
62ca18875cca0ca597223e9ee85e25af19fbde1e

SHA256
f19be35a7cc9eb4cb3bfa7cdcb156a12224c04ff4895369a50839451f24dc464

SHA512
0f146c3714670f74516f30551be1978993062b2fb98d093797069930e23734f7b9ccfcda996754d78c42784115b4964d76037218f0d7bf377cf2630ca9f963ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84e824c0255bc147890cb4694423fd1f

SHA1
dd8933c2128d41a11b5c08e202ebaea82fec9dc5

SHA256
945c2fb1915e08d7b3759373021dbf9c075d5c1c597b11f94d40f2b975bee8ab

SHA512
62db58f10190c8eb82f095778ac6edb992568ed4f674641672e3380a04723d4fd462524f6ff98d562f0ddb5942937da6d59663aa8b39976889a429e351a00090

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b079403c04b86af3c5308c1797c22a8

SHA1
ab295d7c1f34e8490e9d93ff6b58d0a9798832b8

SHA256
3d44381471e8467527968f75640cbd6bbff5df0f774b725219283a320969f4f3

SHA512
48bde0f7905e40154218233ef5f9cfdd9ac44feac3ba7e7a95535d6e07bec30c0812624c1fc76c8ed08d7d68e698e0425000b0b37e906b6fbc7dc5885dccb698

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07ac22bf8cf09ba99c17d471fbfc58f6

SHA1
1a7fe879265c4eae1b0da033f0114c8af13686c8

SHA256
63ffc8e400c69d50362c6dd73652f00e8802929217707cb894456b6b139b619e

SHA512
a6f952d33ca44252d374fcd4d9925f9fb5d0e2cad01622a2bf774b863212aefe911b21939e896bb131cf5e8dcc6011f07d6dd10f610785a4ae0e84a72378abdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39b9531ab6291fabd272b4d95f8aa7f9

SHA1
f6718bc73acdea6318401e9dd7788c281d41c395

SHA256
8d108d8779655f4281a45be8799a2cb7dd40891677152584ec9de139ad03de0e

SHA512
b80c7a1b8c34b43ec5d738df10601a73b3348d13922e4a0c98edb07d748d759bd815b4b8b7c4855b8f6ae0335a022987505ddafc253f3259b71cfef49483caaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e289fbcd3d06718851f98fb601c0c832

SHA1
6a34df97d75aa64c3b7a368cc828f2f23e8fd436

SHA256
40934e7da3dc1f2aee83b72f01cfd9504b5b4569d787e3610317bf90fbb3964c

SHA512
efd6eb3bd70df56dfeff5a60695069243fd6a495479d4c02727772c114ef2f2ef0f788b6d955763c1515cb2a43a6e0e406746a934594ea8242788068fdfa8031

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54583b098fe56e0783621d4699996d03

SHA1
a250fc0245f05baa502eabe9eb511757983dc406

SHA256
a3b1059c22c30d467715130ba14c1790fd25f0bd4f8250210a8f9180a90d85bb

SHA512
248a841e4c70bb3bd9ba774bf58935a8644435db8f9fe11ae8e2de0f540fa96152104db57839b946db7bc90466e1b1fd115f3d8e55d48e6ca284374e7afed591

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
499dcbc15aca3921b73b1f38a81ab2de

SHA1
4b8292fb422a744bf0361b01ffd8aba76d6ac4c6

SHA256
35af4c658a43cb106c5e01c858619b643bc143e0b0d31856c93b41d46736fe0f

SHA512
f3ae76af45bbc94831255920b342013e1af44317b82812aee78bf78f3a4860cd27ba7112580055caaa96206d39ecf8ddfa3dbdb8c09d0c4fc4d902e503227199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10668dcccb6b3ad1cc89bc4fb2b6aa51

SHA1
42076040edf48d1c5ed2f6901cd70eacbab9c81b

SHA256
a5fa743e1243cec625583e57b34234ba23018788050e79a322d665e8a2995a27

SHA512
3fac744959139e46fc40b6beb799aab161043601818961c4de6be2236c645de8f42c9217be29b90532ecf23f3edead62d00cc93053327129bfb3770923c2c9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCE49.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat

Filesize
198B

MD5
05dcce73be9443c91923749a0adf7486

SHA1
2283ce80cf7459b66b01a256f531e8a80965dcb3

SHA256
ac0e08bf5091cb77a1c9f6771a2541046a878a6a11b741de34f74fe7b5897383

SHA512
bd3e84aa989bca0b6fb6ff9b67051e160ea64c941980277aafcf854ff21a04d94749ed8d0505a249939f86afc2f83c0348ed115bf2182478fd63d10549c7a8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat

Filesize
198B

MD5
28632f8b0efb176c0f820ee8dbf9d8a1

SHA1
428f02b3ad808e5c2278c05aded7fb64469d244c

SHA256
913b6967de83de3602ac8b98a739ddf5a6c4aad04374db86193d86941aa79258

SHA512
88af81a22814fd1cd8355482c30dc31990627973f36c0c746d0fb30ec746938b8c0f22dcff75acb39f249899ea83d4fb4112e58a218d5a6c4df351b3c62f37b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat

Filesize
198B

MD5
1a25007dcd0cfa767e2322902b58213f

SHA1
aa7e844bc288935db989946bf3a4bbe8e435b318

SHA256
b68f5c07efb3e317729c888c5a4f353e1a5c8d4c5f09d6bbe1bcf90dc677163d

SHA512
1a9be7b5e324659b282cee9d550b6dbaa6e64b2a86749d6673829a1e0e573bc8322f7d30ef21beba3c9e8ba3cc1b358a8791519c57bae33140d29379877f2338

Download Submit
C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat

Filesize
198B

MD5
77344d26859a81309d39fa1078ac4449

SHA1
987747855555830cc8e9293db96e7eb242688acd

SHA256
a011a230afbc0cd8c6942b64e2d2c48bd267e1f1f0837ac7596becbdefd7a07f

SHA512
f1a4031fd8024b2595c4d34cf509dfd11a233edf4c1d47f478c0ea362ca966b306771487ceedb34487bcbbc668708020662be6c4301c46c9f2ec5123947026b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat

Filesize
198B

MD5
9422f984f85dffab05767a9f708ca135

SHA1
3224be76f690f4a5af4b22bf2533bee9c9f1007e

SHA256
b661725211afa2f92d0e04650ad9e8e6985b6ba91ea02c3b6873a093f0eb2431

SHA512
0e7d44525ff015ad19d29103fe16355b8d8767cf145f2994ed159ddd536f059b144bce935c2b55af7f9c9234c5add1f5f3d829132fc57d4ba303825069bcbf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCE6B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat

Filesize
198B

MD5
5a79467804535f2bb5d417540ea73c3c

SHA1
4ca36dc526a5047277323f4ee16d43fd8dab5a58

SHA256
12f6f5d14783dc3665f691837acd1ef525276e9772b8175a3b8ff002a59e93e9

SHA512
7736586ae8aea1b87e3895dc8afc66cfbfee7f7562551a127f9b3db328938af2f779f17eacb70a4a0e7201db55812ca1ab4083a9895a27d29d0961628f1af207

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat

Filesize
198B

MD5
1e9dc23753604d9eb45e4076660feb3e

SHA1
86d0be0eddc0e9c928b4a4d32f54688f180a69ab

SHA256
ed036959191e17ac9c515922cbccf3ec8e58b8b039922ff7c48c9b68f03a66b3

SHA512
9974568d1ef36c8c141b9d00425176fe626b838895ec4253703013cf427980e0f51921aec12ad8ed34a151c908e7a4eee3124f9bc009099d18ba462e65bd4f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat

Filesize
198B

MD5
ef50366308ffe557b7d04ee6825df235

SHA1
bcfbec0154407b246f2d2909a8d185acc8dad1aa

SHA256
e4a09504a233d65a08d9e87f9cb5accc551269850a446a74223eaa64626b24a2

SHA512
efe598f54e8a22a9b887737bee38e61eec09f01d8071b4f64e1284e1259b78fed9afad27884d2b06723f37615d97d0f5e25114940b26177520e5fce7dc00c97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat

Filesize
198B

MD5
4749ce471ba7f6bbdce0bc8e63e63682

SHA1
672477323d9116212a6336117ffffc4c2a7f7283

SHA256
94d64c05125c0f289dc391976b17f639d55861f47376a5a066f201a09c7eae4b

SHA512
ff0e6f130cfab2e26d581f19bf228cac38a02e22aabaadcad9318a81aa8617c01a749b1f471b825da07d84947786d81f86d3cae3da79bcc49dcef93f3283fcd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat

Filesize
198B

MD5
3d2fe4ada936042de08eeb254594a847

SHA1
2ff116e453c30c821c0a02c92437043a7032b306

SHA256
56115bb3c5af086eede889c63934761b3e0cadbb35f63e36ee92e649f738e014

SHA512
db203f0649601c4686e85aef4afb75393564f087e7173d5d4adc131e85d378b7ffeafe372d37e19d1ccd3b7cee59fbbdf44324999b79275f17f6399cdef754c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HKJVILJIP2LTY4HTA0IY.temp

Filesize
7KB

MD5
4313d0da5181cc26907e2b7bdfb8ef5b

SHA1
5733d739fee1a21efb7bacbbe3c3c1886e65953b

SHA256
adf7849af50ce14d419a1a197e84a02405cd41f6279c2e691c8d44b07541018d

SHA512
2d70e61bd984fe443f43cfd4575f53e0437ee79a3239850d64295fd23a0ce0f7f974a6dfab1a1beb3ad0ce412e1490cac13a2acdba1097ed70d8ac4b062bf3a3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/880-55-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/880-54-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/1088-645-0x0000000000BE0000-0x0000000000CF0000-memory.dmp

Filesize
1.1MB

Download
memory/1580-225-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/1920-585-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/1936-345-0x0000000000B20000-0x0000000000C30000-memory.dmp

Filesize
1.1MB

Download
memory/1988-285-0x00000000008F0000-0x0000000000A00000-memory.dmp

Filesize
1.1MB

Download
memory/2084-165-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2084-164-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/2196-465-0x0000000001080000-0x0000000001190000-memory.dmp

Filesize
1.1MB

Download
memory/2224-405-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download
memory/2564-525-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/2752-17-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2752-16-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2752-15-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2752-14-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2752-13-0x0000000000E80000-0x0000000000F90000-memory.dmp

Filesize
1.1MB

Download