Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31/10/2022, 22:07

General

  • Target

    e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe

  • Size

    1.3MB

  • MD5

    cb7abdf4e4c93cab3449a14cf499ea57

  • SHA1

    0ba5eace1cab4455aef40e9a3d78d32b276b582e

  • SHA256

    e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56

  • SHA512

    feb6445476d81b420fc07f80f0e512b83f71db63b70940b4abaee0f16e5dd526dff5fd3c3e4a8047287c23ecf87cf41a8645fd45afb7ef23864fb614f95c5094

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 17 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 14 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe
    "C:\Users\Admin\AppData\Local\Temp\e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4784
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3472
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5044
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5020
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4932
          • C:\providercommon\spoolsv.exe
            "C:\providercommon\spoolsv.exe"
            5⤵
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4444
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4716
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2632
                • C:\providercommon\spoolsv.exe
                  "C:\providercommon\spoolsv.exe"
                  7⤵
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:4736
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3316
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2760
                      • C:\providercommon\spoolsv.exe
                        "C:\providercommon\spoolsv.exe"
                        9⤵
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:1292
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4840
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:3892
                            • C:\providercommon\spoolsv.exe
                              "C:\providercommon\spoolsv.exe"
                              11⤵
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of WriteProcessMemory
                              PID:376
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4764
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:4908
                                  • C:\providercommon\spoolsv.exe
                                    "C:\providercommon\spoolsv.exe"
                                    13⤵
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of WriteProcessMemory
                                    PID:4788
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
                                      14⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:4320
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        15⤵
                                          PID:4568
                                        • C:\providercommon\spoolsv.exe
                                          "C:\providercommon\spoolsv.exe"
                                          15⤵
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of WriteProcessMemory
                                          PID:4308
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
                                            16⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:1868
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              17⤵
                                                PID:872
                                              • C:\providercommon\spoolsv.exe
                                                "C:\providercommon\spoolsv.exe"
                                                17⤵
                                                • Executes dropped EXE
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of WriteProcessMemory
                                                PID:4456
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
                                                  18⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:220
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    19⤵
                                                      PID:2180
                                                    • C:\providercommon\spoolsv.exe
                                                      "C:\providercommon\spoolsv.exe"
                                                      19⤵
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:1040
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat"
                                                        20⤵
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:2132
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          21⤵
                                                            PID:2392
                                                          • C:\providercommon\spoolsv.exe
                                                            "C:\providercommon\spoolsv.exe"
                                                            21⤵
                                                            • Executes dropped EXE
                                                            • Modifies registry class
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:4500
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"
                                                              22⤵
                                                                PID:1848
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  23⤵
                                                                    PID:4340
                                                                  • C:\providercommon\spoolsv.exe
                                                                    "C:\providercommon\spoolsv.exe"
                                                                    23⤵
                                                                    • Executes dropped EXE
                                                                    • Modifies registry class
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:4356
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"
                                                                      24⤵
                                                                        PID:1216
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          25⤵
                                                                            PID:3820
                                                                          • C:\providercommon\spoolsv.exe
                                                                            "C:\providercommon\spoolsv.exe"
                                                                            25⤵
                                                                            • Executes dropped EXE
                                                                            • Modifies registry class
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            PID:4744
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
                                                                              26⤵
                                                                                PID:4740
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  27⤵
                                                                                    PID:4716
                                                                                  • C:\providercommon\spoolsv.exe
                                                                                    "C:\providercommon\spoolsv.exe"
                                                                                    27⤵
                                                                                    • Executes dropped EXE
                                                                                    • Modifies registry class
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:2668
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"
                                                                                      28⤵
                                                                                        PID:3896
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          29⤵
                                                                                            PID:2748
                                                                                          • C:\providercommon\spoolsv.exe
                                                                                            "C:\providercommon\spoolsv.exe"
                                                                                            29⤵
                                                                                            • Executes dropped EXE
                                                                                            • Modifies registry class
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            PID:1400
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"
                                                                                              30⤵
                                                                                                PID:4224
                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                  31⤵
                                                                                                    PID:3912
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4240
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\odt\ShellExperienceHost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4204
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3716
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1948
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4308
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2616

                                      Network

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                              Filesize

                                              3KB

                                              MD5

                                              ad5cd538ca58cb28ede39c108acb5785

                                              SHA1

                                              1ae910026f3dbe90ed025e9e96ead2b5399be877

                                              SHA256

                                              c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                                              SHA512

                                              c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

                                              Filesize

                                              1KB

                                              MD5

                                              d63ff49d7c92016feb39812e4db10419

                                              SHA1

                                              2307d5e35ca9864ffefc93acf8573ea995ba189b

                                              SHA256

                                              375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

                                              SHA512

                                              00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              b8434b46a9fc311482dfa3ec2c6baf2f

                                              SHA1

                                              ab925a9da43821ca31158f8ddbe682fbf4f96400

                                              SHA256

                                              23fe0033babdfe0c502df6de36685a5cdc5613086e222edc57f97a266ced8149

                                              SHA512

                                              e6ff732fccc6a6444b298f68b6fc4045a6b2ecc73a40a171bac07224529615252a1a8fa4c50a29b1e6daabb34e14bac3845ad22f620e18ed7f684a54b6e3a1bc

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              092012581b38cacd04073f0befea943a

                                              SHA1

                                              3ae45afb2d715f74dabd25d0c1036e2d1ab13d24

                                              SHA256

                                              e4f55f299bd74de0c8da82b4ed70a87053a89a785b84c694ed4008bcad0b7d43

                                              SHA512

                                              4d305282639e627c7708b2fca9601d4c2436e213fe14a53452f76fc3407c12cc7590628e7ff2e589445ba9bd1cb03c4b210a52e320cbb6c123abff4115490873

                                            • C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat

                                              Filesize

                                              194B

                                              MD5

                                              6c522770f0c79d069de1ef041a2964db

                                              SHA1

                                              8302f36bf0b5bea9dca1c2a5a50961e56ecb0bb9

                                              SHA256

                                              5330e72eaf0a9be3b692900fcb82f271d9840ce64dd4bb9865edc749c2518a16

                                              SHA512

                                              8a0615cf2fcb3a0b321a26aaf9f9fce4d98f02d32e4abb904581761c85d4776aad2dab96b525e00a035d2715942d4989e68c089ce7e5c658c6300e209bbb7397

                                            • C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat

                                              Filesize

                                              194B

                                              MD5

                                              6c522770f0c79d069de1ef041a2964db

                                              SHA1

                                              8302f36bf0b5bea9dca1c2a5a50961e56ecb0bb9

                                              SHA256

                                              5330e72eaf0a9be3b692900fcb82f271d9840ce64dd4bb9865edc749c2518a16

                                              SHA512

                                              8a0615cf2fcb3a0b321a26aaf9f9fce4d98f02d32e4abb904581761c85d4776aad2dab96b525e00a035d2715942d4989e68c089ce7e5c658c6300e209bbb7397

                                            • C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat

                                              Filesize

                                              194B

                                              MD5

                                              1858f84b7b73cfc217a383938d8a8150

                                              SHA1

                                              f2d4f39c94b0536ce58c66de2907c4907d5bb56f

                                              SHA256

                                              605c285c4597920bdd8034383c15a5353364d6d196af343a454636d8f5963bdd

                                              SHA512

                                              ab56ec1da589d522aa81592cbf78095f4eacdf4f327e7ed32af16595ab399680f08e604f59c4f6d2c43049e5dd7bef9184e443f8ab79b34c0437e268283218e7

                                            • C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat

                                              Filesize

                                              194B

                                              MD5

                                              29bd0125796fde2ef8132f8eaa217fd5

                                              SHA1

                                              cc2fb831cce856f60686ddd3cfad627d6d66ab5a

                                              SHA256

                                              afc15f23191d430539f609cbd398868e3e566708c6ea5b78a33ee2cedd22811c

                                              SHA512

                                              04d2037be4d85896697d7f82f467d84cb6ae23b2e6c45937062142f6eeba99b9c830b34b88eb6a2d4a5f5825e5ef520798cdb3ebc9f63218c73900b1131ff262

                                            • C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat

                                              Filesize

                                              194B

                                              MD5

                                              29bd0125796fde2ef8132f8eaa217fd5

                                              SHA1

                                              cc2fb831cce856f60686ddd3cfad627d6d66ab5a

                                              SHA256

                                              afc15f23191d430539f609cbd398868e3e566708c6ea5b78a33ee2cedd22811c

                                              SHA512

                                              04d2037be4d85896697d7f82f467d84cb6ae23b2e6c45937062142f6eeba99b9c830b34b88eb6a2d4a5f5825e5ef520798cdb3ebc9f63218c73900b1131ff262

                                            • C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat

                                              Filesize

                                              194B

                                              MD5

                                              427255b2c8ddf096e6fddeadf31deb46

                                              SHA1

                                              42b5ae31fe33ff1e425a52b3f6f41a486028ba79

                                              SHA256

                                              1061f887ef79ad9264b63f7dc2a9a8f43e43ca9d5ae0e72fdeca55fca67c3b5b

                                              SHA512

                                              0aeab5b4f2ee270026bfbe5ba597004590daa7c357b702d6f2b97d3436eb299767ea412c94f00a43153f91211032f60c5b65acc844c031a631a6398a9cc82731

                                            • C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

                                              Filesize

                                              194B

                                              MD5

                                              d70f90efaef46f3a65e8705ee25b41cb

                                              SHA1

                                              18a7cb2ec46583c1e2dfba33479e19fa15c7035c

                                              SHA256

                                              1ae98bbc1b48d226920d540af178858d844041e6bea6ad8e2cc3199cb8d5a8b0

                                              SHA512

                                              972cc184972980fdc5aa119ca91cbf678a3eb35d2b719b032575ea2137dea86ee2af6b5569831ce74c77295de3c4762c3477469092f107e153db525f87e78754

                                            • C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat

                                              Filesize

                                              194B

                                              MD5

                                              053299379af7f320502094d4db361064

                                              SHA1

                                              fb52af0a338f97f6b027396761289af1c47b05d9

                                              SHA256

                                              b7e1d763d0da3815816fd79bb73aa384438802766c5e201cbe20d07d4146579b

                                              SHA512

                                              08fa30b721812ccd2a3311a91d538151e8d9b2fb738dcf4882f7879fc4488e0e2b5ce6aac5cadecc64c0c089d389013cfd703bc87be266a2e148a9685888764a

                                            • C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat

                                              Filesize

                                              194B

                                              MD5

                                              dd60a0b180866a8990e9ce5e71e92014

                                              SHA1

                                              3426c79c42ce1955a807a8db0e7384367530e626

                                              SHA256

                                              251cdcb3fd8495edc3ccfa0e8032cbce872c9f88a1112cdab48cb869f7968fa9

                                              SHA512

                                              df86fb1d2429a8c93a31cdc780c74c0e73b24fc12c43832afbccfab04e076686ef75eca186d048deaed35b7c262b414d2059595f54c236db30203fd711784e48

                                            • C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

                                              Filesize

                                              194B

                                              MD5

                                              f08ede0c3722e29faa90ee33271baf31

                                              SHA1

                                              187cf7178a9e86e74961dd5b7be0c6d304661453

                                              SHA256

                                              5aab7437fccad7c0382313275a43dee9c7ebfac13ecfaa02ea7133355c217be3

                                              SHA512

                                              260a22a20612fcd5f65bcbee0a5fddab647750df83f7a89bc43706d58d8ea701bc1f7c1d19531b884578084d1ccb4491efa9b533f38628692664bb23cb97cc16

                                            • C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat

                                              Filesize

                                              194B

                                              MD5

                                              0ea0d87ad435c307b8d9dd2b4d2cba51

                                              SHA1

                                              7bd4afcca773d72eaec8f535fb3e68cf5e632a4c

                                              SHA256

                                              57251a912d8124f8f558e5ae490378ab906f691d01e050dcf46f09fe6654f6af

                                              SHA512

                                              d60efca0a133fa6e14e0fc08cbcc7758a2cfbe645b668177bdd5d6ed2f71761db13beb54488904481107ed4b6b898b7fedbd683d19dff31f0249b812fd21b158

                                            • C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

                                              Filesize

                                              194B

                                              MD5

                                              7521031780c8016c32a493702821cffb

                                              SHA1

                                              e68fe9f5735b775d225628c47dafff53607d5f54

                                              SHA256

                                              79d31363a5391f9379cdf62a97638a429387f99e36f7f599de3b52c434e420e6

                                              SHA512

                                              f5d4305a3ad6367499b929cf9246bc8d97af8f3dabe7d2888b5694c3bce43d220914663a599186e1d97dd518f30a67d4c2956068940454061e44e75d285f2b19

                                            • C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat

                                              Filesize

                                              194B

                                              MD5

                                              b32e168ee4749de589617064dc2c61db

                                              SHA1

                                              946988d13b9bd7d1875409555c9afbf97320aeb4

                                              SHA256

                                              cf6521a7b24a76ad5d9ac4909ec54b9a9a222d5aaa3f63196b5c3bcc23df21df

                                              SHA512

                                              3c9081b2cd5817d34ba5af66a0808dbb3115c0b50b672dd36f3ef120003fd5f33ae37bf87d95a45e146d0112e1b95102647ffec1408b06e996e9f819cc42a78d

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/1040-440-0x00000000011E0000-0x00000000011F2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1292-412-0x0000000000D50000-0x0000000000D62000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2656-161-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-138-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-174-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-175-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-177-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-176-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-178-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-179-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-180-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-182-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-181-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-124-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-125-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-121-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-172-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-171-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-173-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-170-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-168-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-120-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-119-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-127-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-128-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-129-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-132-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-133-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-135-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-137-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-136-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-167-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-166-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-169-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-139-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-134-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-165-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-164-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-149-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-131-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-163-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-162-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-140-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-122-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-159-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-130-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-160-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-141-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-158-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-151-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-157-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-142-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-156-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-143-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-155-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-154-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-145-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-153-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-144-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-146-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-152-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-147-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-148-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2656-150-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/3472-288-0x000000001B8B0000-0x000000001B8BC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3472-287-0x000000001ADD0000-0x000000001ADDC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3472-286-0x0000000002460000-0x0000000002472000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3472-285-0x0000000000270000-0x0000000000380000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/3472-289-0x000000001ADE0000-0x000000001ADEC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/4308-429-0x0000000000E20000-0x0000000000E32000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4356-451-0x0000000000A80000-0x0000000000A92000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4444-309-0x0000000001060000-0x0000000001072000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4784-185-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4784-184-0x0000000077770000-0x00000000778FE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4788-423-0x0000000000920000-0x0000000000932000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4932-314-0x000002DC99A60000-0x000002DC99AD6000-memory.dmp

                                              Filesize

                                              472KB

                                            • memory/5044-308-0x00000193E4760000-0x00000193E4782000-memory.dmp

                                              Filesize

                                              136KB