dcrat | b84a7ed8d683bf31e5b490b96d89b6216ea1655d98ed63b13f61f7f36e289381

Analysis

max time kernel
144s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 11:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b84a7ed8d683bf31e5b490b96d89b6216ea1655d98ed63b13f61f7f36e289381.exe
Size

1.3MB
MD5

bca157a0b23a0af0f59ef16e83cc5d1a
SHA1

fc4bd2544619ce9d94968abe0d7474e72d4dfd0a
SHA256

b84a7ed8d683bf31e5b490b96d89b6216ea1655d98ed63b13f61f7f36e289381
SHA512

127407a8614a51679d7ac76b8fac334cea9f56afa49df6737eae41ef6dc3f56a7914a485f089c51c8c7a295305ceef498c07456ff4f9895c2385c3d5c1294ebb
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	4688	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	4688	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	4688	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	4688	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	4688	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	4688	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	4688	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	4688	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	4688	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	4688	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4688	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4688	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	4688	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	4688	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	4688	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	4688	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	4688	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	4688	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001ac10-279.dat	dcrat
behavioral1/files/0x000900000001ac10-280.dat	dcrat
behavioral1/memory/3512-281-0x0000000000A90000-0x0000000000BA0000-memory.dmp	dcrat
behavioral1/files/0x000900000001ac10-300.dat	dcrat
behavioral1/files/0x000600000001ac2a-597.dat	dcrat
behavioral1/files/0x000600000001ac2a-598.dat	dcrat
behavioral1/files/0x000600000001ac2a-604.dat	dcrat
behavioral1/files/0x000600000001ac2a-611.dat	dcrat
behavioral1/files/0x000600000001ac2a-617.dat	dcrat
behavioral1/files/0x000600000001ac2a-622.dat	dcrat
behavioral1/files/0x000600000001ac2a-628.dat	dcrat
behavioral1/files/0x000600000001ac2a-633.dat	dcrat
behavioral1/files/0x000600000001ac2a-638.dat	dcrat
behavioral1/files/0x000600000001ac2a-644.dat	dcrat
behavioral1/files/0x000600000001ac2a-650.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
3512	DllCommonsvc.exe
3288	DllCommonsvc.exe
1144	System.exe
5052	System.exe
3788	System.exe
1568	System.exe
3372	System.exe
1160	System.exe
2276	System.exe
3376	System.exe
724	System.exe
3064	System.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\f8c8f1285d826b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\System.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2908	schtasks.exe
4132	schtasks.exe
4240	schtasks.exe
3896	schtasks.exe
3864	schtasks.exe
4912	schtasks.exe
3728	schtasks.exe
2228	schtasks.exe
3948	schtasks.exe
4788	schtasks.exe
2852	schtasks.exe
3336	schtasks.exe
3976	schtasks.exe
3176	schtasks.exe
4444	schtasks.exe
1808	schtasks.exe
2760	schtasks.exe
4588	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	b84a7ed8d683bf31e5b490b96d89b6216ea1655d98ed63b13f61f7f36e289381.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
3512	DllCommonsvc.exe
408	powershell.exe
4344	powershell.exe
3044	powershell.exe
4460	powershell.exe
4400	powershell.exe
3044	powershell.exe
4344	powershell.exe
4400	powershell.exe
408	powershell.exe
3288	DllCommonsvc.exe
4460	powershell.exe
4344	powershell.exe
4400	powershell.exe
408	powershell.exe
3044	powershell.exe
4460	powershell.exe
4060	powershell.exe
4092	powershell.exe
4092	powershell.exe
4060	powershell.exe
2792	powershell.exe
4092	powershell.exe
2792	powershell.exe
4060	powershell.exe
2792	powershell.exe
1144	System.exe
5052	System.exe
3788	System.exe
1568	System.exe
3372	System.exe
1160	System.exe
2276	System.exe
3376	System.exe
724	System.exe
3064	System.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3512	DllCommonsvc.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	3288	DllCommonsvc.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeIncreaseQuotaPrivilege	4400	powershell.exe
Token: SeSecurityPrivilege	4400	powershell.exe
Token: SeTakeOwnershipPrivilege	4400	powershell.exe
Token: SeLoadDriverPrivilege	4400	powershell.exe
Token: SeSystemProfilePrivilege	4400	powershell.exe
Token: SeSystemtimePrivilege	4400	powershell.exe
Token: SeProfSingleProcessPrivilege	4400	powershell.exe
Token: SeIncBasePriorityPrivilege	4400	powershell.exe
Token: SeCreatePagefilePrivilege	4400	powershell.exe
Token: SeBackupPrivilege	4400	powershell.exe
Token: SeRestorePrivilege	4400	powershell.exe
Token: SeShutdownPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeSystemEnvironmentPrivilege	4400	powershell.exe
Token: SeRemoteShutdownPrivilege	4400	powershell.exe
Token: SeUndockPrivilege	4400	powershell.exe
Token: SeManageVolumePrivilege	4400	powershell.exe
Token: 33	4400	powershell.exe
Token: 34	4400	powershell.exe
Token: 35	4400	powershell.exe
Token: 36	4400	powershell.exe
Token: SeIncreaseQuotaPrivilege	408	powershell.exe
Token: SeSecurityPrivilege	408	powershell.exe
Token: SeTakeOwnershipPrivilege	408	powershell.exe
Token: SeLoadDriverPrivilege	408	powershell.exe
Token: SeSystemProfilePrivilege	408	powershell.exe
Token: SeSystemtimePrivilege	408	powershell.exe
Token: SeProfSingleProcessPrivilege	408	powershell.exe
Token: SeIncBasePriorityPrivilege	408	powershell.exe
Token: SeCreatePagefilePrivilege	408	powershell.exe
Token: SeBackupPrivilege	408	powershell.exe
Token: SeRestorePrivilege	408	powershell.exe
Token: SeShutdownPrivilege	408	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeSystemEnvironmentPrivilege	408	powershell.exe
Token: SeRemoteShutdownPrivilege	408	powershell.exe
Token: SeUndockPrivilege	408	powershell.exe
Token: SeManageVolumePrivilege	408	powershell.exe
Token: 33	408	powershell.exe
Token: 34	408	powershell.exe
Token: 35	408	powershell.exe
Token: 36	408	powershell.exe
Token: SeIncreaseQuotaPrivilege	3044	powershell.exe
Token: SeSecurityPrivilege	3044	powershell.exe
Token: SeTakeOwnershipPrivilege	3044	powershell.exe
Token: SeLoadDriverPrivilege	3044	powershell.exe
Token: SeSystemProfilePrivilege	3044	powershell.exe
Token: SeSystemtimePrivilege	3044	powershell.exe
Token: SeProfSingleProcessPrivilege	3044	powershell.exe
Token: SeIncBasePriorityPrivilege	3044	powershell.exe
Token: SeCreatePagefilePrivilege	3044	powershell.exe
Token: SeBackupPrivilege	3044	powershell.exe
Token: SeRestorePrivilege	3044	powershell.exe
Token: SeShutdownPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeSystemEnvironmentPrivilege	3044	powershell.exe
Token: SeRemoteShutdownPrivilege	3044	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 4084	2496	b84a7ed8d683bf31e5b490b96d89b6216ea1655d98ed63b13f61f7f36e289381.exe	66
PID 2496 wrote to memory of 4084	2496	b84a7ed8d683bf31e5b490b96d89b6216ea1655d98ed63b13f61f7f36e289381.exe	66
PID 2496 wrote to memory of 4084	2496	b84a7ed8d683bf31e5b490b96d89b6216ea1655d98ed63b13f61f7f36e289381.exe	66
PID 4084 wrote to memory of 4732	4084	WScript.exe	67
PID 4084 wrote to memory of 4732	4084	WScript.exe	67
PID 4084 wrote to memory of 4732	4084	WScript.exe	67
PID 4732 wrote to memory of 3512	4732	cmd.exe	69
PID 4732 wrote to memory of 3512	4732	cmd.exe	69
PID 3512 wrote to memory of 4460	3512	DllCommonsvc.exe	83
PID 3512 wrote to memory of 4460	3512	DllCommonsvc.exe	83
PID 3512 wrote to memory of 4344	3512	DllCommonsvc.exe	84
PID 3512 wrote to memory of 4344	3512	DllCommonsvc.exe	84
PID 3512 wrote to memory of 408	3512	DllCommonsvc.exe	85
PID 3512 wrote to memory of 408	3512	DllCommonsvc.exe	85
PID 3512 wrote to memory of 3044	3512	DllCommonsvc.exe	87
PID 3512 wrote to memory of 3044	3512	DllCommonsvc.exe	87
PID 3512 wrote to memory of 4400	3512	DllCommonsvc.exe	89
PID 3512 wrote to memory of 4400	3512	DllCommonsvc.exe	89
PID 3512 wrote to memory of 3288	3512	DllCommonsvc.exe	93
PID 3512 wrote to memory of 3288	3512	DllCommonsvc.exe	93
PID 3288 wrote to memory of 4060	3288	DllCommonsvc.exe	100
PID 3288 wrote to memory of 4060	3288	DllCommonsvc.exe	100
PID 3288 wrote to memory of 2792	3288	DllCommonsvc.exe	101
PID 3288 wrote to memory of 2792	3288	DllCommonsvc.exe	101
PID 3288 wrote to memory of 4092	3288	DllCommonsvc.exe	103
PID 3288 wrote to memory of 4092	3288	DllCommonsvc.exe	103
PID 3288 wrote to memory of 5104	3288	DllCommonsvc.exe	106
PID 3288 wrote to memory of 5104	3288	DllCommonsvc.exe	106
PID 5104 wrote to memory of 5040	5104	cmd.exe	109
PID 5104 wrote to memory of 5040	5104	cmd.exe	109
PID 5104 wrote to memory of 1144	5104	cmd.exe	110
PID 5104 wrote to memory of 1144	5104	cmd.exe	110
PID 1144 wrote to memory of 5100	1144	System.exe	111
PID 1144 wrote to memory of 5100	1144	System.exe	111
PID 5100 wrote to memory of 3956	5100	cmd.exe	113
PID 5100 wrote to memory of 3956	5100	cmd.exe	113
PID 5100 wrote to memory of 5052	5100	cmd.exe	114
PID 5100 wrote to memory of 5052	5100	cmd.exe	114
PID 5052 wrote to memory of 1264	5052	System.exe	116
PID 5052 wrote to memory of 1264	5052	System.exe	116
PID 1264 wrote to memory of 3912	1264	cmd.exe	117
PID 1264 wrote to memory of 3912	1264	cmd.exe	117
PID 1264 wrote to memory of 3788	1264	cmd.exe	118
PID 1264 wrote to memory of 3788	1264	cmd.exe	118
PID 3788 wrote to memory of 4804	3788	System.exe	121
PID 3788 wrote to memory of 4804	3788	System.exe	121
PID 4804 wrote to memory of 2844	4804	cmd.exe	120
PID 4804 wrote to memory of 2844	4804	cmd.exe	120
PID 4804 wrote to memory of 1568	4804	cmd.exe	122
PID 4804 wrote to memory of 1568	4804	cmd.exe	122
PID 1568 wrote to memory of 1820	1568	System.exe	124
PID 1568 wrote to memory of 1820	1568	System.exe	124
PID 1820 wrote to memory of 3516	1820	cmd.exe	125
PID 1820 wrote to memory of 3516	1820	cmd.exe	125
PID 1820 wrote to memory of 3372	1820	cmd.exe	126
PID 1820 wrote to memory of 3372	1820	cmd.exe	126
PID 3372 wrote to memory of 4176	3372	System.exe	127
PID 3372 wrote to memory of 4176	3372	System.exe	127
PID 4176 wrote to memory of 1284	4176	cmd.exe	129
PID 4176 wrote to memory of 1284	4176	cmd.exe	129
PID 4176 wrote to memory of 1160	4176	cmd.exe	130
PID 4176 wrote to memory of 1160	4176	cmd.exe	130
PID 1160 wrote to memory of 4528	1160	System.exe	131
PID 1160 wrote to memory of 4528	1160	System.exe	131

C:\Users\Admin\AppData\Local\Temp\b84a7ed8d683bf31e5b490b96d89b6216ea1655d98ed63b13f61f7f36e289381.exe
"C:\Users\Admin\AppData\Local\Temp\b84a7ed8d683bf31e5b490b96d89b6216ea1655d98ed63b13f61f7f36e289381.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3288
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4060
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2792
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\ShellExperienceHost.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4092
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G5UmEo0ipx.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5040
        
        C:\Program Files (x86)\Windows Multimedia Platform\System.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\System.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3956
        
        C:\Program Files (x86)\Windows Multimedia Platform\System.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\System.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3912
        
        C:\Program Files (x86)\Windows Multimedia Platform\System.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\System.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Program Files (x86)\Windows Multimedia Platform\System.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\System.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3516
        
        C:\Program Files (x86)\Windows Multimedia Platform\System.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\System.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1284
        
        C:\Program Files (x86)\Windows Multimedia Platform\System.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\System.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"
        18⤵
        
        PID:4528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4348
        
        C:\Program Files (x86)\Windows Multimedia Platform\System.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\System.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
        20⤵
        
        PID:320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4532
        
        C:\Program Files (x86)\Windows Multimedia Platform\System.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\System.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"
        22⤵
        
        PID:1064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4524
        
        C:\Program Files (x86)\Windows Multimedia Platform\System.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\System.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat"
        24⤵
        
        PID:4904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4592
        
        C:\Program Files (x86)\Windows Multimedia Platform\System.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\System.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Music\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Multimedia Platform\System.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\System.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\System.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\System.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\System.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\System.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\System.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\System.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\System.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\System.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\System.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
b4268d8ae66fdd920476b97a1776bf85

SHA1
f920de54f7467f0970eccc053d3c6c8dd181d49a

SHA256
61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879

SHA512
03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a6115a956c8fb8ceb21ae98a1a21122

SHA1
2125de356a675f1361137d21125f0a806c935de7

SHA256
da7f6ecbcd2f0be3df7a095163660d875e90fb70ce4300908fe0c48f0b742ad3

SHA512
60f56f492f5418fca4e7f849877b6b47d084a2d136681ae102c076dfb02a639fa242a79ba754c0cd6ba525669c03456edfc39268cb0df12bc681d895517fa54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8cd34593b8347a6ec069775e32802291

SHA1
7fc111decaa8afdf496d82e850dc84c612fe5197

SHA256
9d0617a88256164cd731f76ef30a980c628653185b1a4e53fbb075f744a75875

SHA512
4b3af3b24b392d1ec0e9c132f85016c1eaf07d0795ef0ae571d7ceb6b7233e9ef614bfea84e42246a1e0e13ccbf24645c9d62c175d22d49ca9530f648cffd345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5ff88cd39c291945f500cca8099b53be

SHA1
e95c530585607f7d34473cbd5dde0872e87a00a7

SHA256
8f9db12c588b4c521639587854c454cc51eab6f412fb366f0b736eb2b3eadbe3

SHA512
c69f59283c894571c94c65a9721c274ffa5d68e9b55fab75506620502e76a72f0ec2063ff8b3d19aee9b28803e6fc049de570cb47c25789636b188c800b5e39b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7c9227900dd4ec75fc29b6c9e5722a6b

SHA1
c95d445b6eb9a050d0c6327c9d6ded626ec22596

SHA256
d3fad766e6c936722dfeb2d74cf25e710817df4bff763a362d2ab1a387eef775

SHA512
aadffd722d7affe029f7f38f189f120e01aaaa08377048ba6e1d183561e0a2fc2ba3850f428a640c8a20158409e41913d0dc660aa30edab9236cc3372e32bc9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7c9227900dd4ec75fc29b6c9e5722a6b

SHA1
c95d445b6eb9a050d0c6327c9d6ded626ec22596

SHA256
d3fad766e6c936722dfeb2d74cf25e710817df4bff763a362d2ab1a387eef775

SHA512
aadffd722d7affe029f7f38f189f120e01aaaa08377048ba6e1d183561e0a2fc2ba3850f428a640c8a20158409e41913d0dc660aa30edab9236cc3372e32bc9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
17ff2cda63c3ff833d82d7091b117676

SHA1
e02aca278ef80f24b59dd1b9a7040e27f3f260ff

SHA256
5c7267f685c849537ccb0f45303ece85ba686305cdac8bbfc0e3f492d36f209b

SHA512
73c39c8204114f61bbc1b3a63a6bde57e8718de28260af7bc457746934cd84568b63591a8e5bb2fb61ac313e880b90dda09cc5a9961d3051772e90eb9d0a7694

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat

Filesize
226B

MD5
5f5dc87f145d041e7bdebf24278b28e9

SHA1
8317a81a6311a7a98165f7d7efe18c60f00ccd6c

SHA256
f144a8a29c099795795bc1e3740c9fa793657ca4bf1e2ced6048776a1bcc519e

SHA512
cf7d1d4d3c532b16dd4bfcda84b531be9c39e706121a99e2ee845f73d0a7cc2aa8de7792320e78f9a3ab67baf378ebc6948156e7cef2cb35b4043eb3129e183f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat

Filesize
226B

MD5
d23d4c53e3a828c7f64f397cfaf2f4f2

SHA1
137e0fd8c83e97313a6d1073c87712b9952ff7ce

SHA256
18263302c63f524cb0df57120453c82a5ca4c00d316ea4f6aa302a5379402dff

SHA512
73785ae34af0ac2df171c2ff860e929cccdc09dc07f827780a423871a87e5f31d5e55c1e7f536788e86e6021f6e0e5f9094d1ae96156653cc0ebcfc19f61c825

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat

Filesize
226B

MD5
db503a8074c5330bcbaa6293baa973e2

SHA1
77ae739681c7c20e62a35c6c9d4fee0b44226510

SHA256
0771a5fb323f192afad1aeb80449f6ceb5f81153058d5d4b46752e24e02513d6

SHA512
12e5f26f99d310223ef95bf4f39e6a585caa2656b1f781402ae19988f1b413e8f838e4a5b170932affe53ac83b21bdc13c1042ba7f5274d83ad60af078cc5e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\G5UmEo0ipx.bat

Filesize
226B

MD5
4e19e68190f92ee768431cdb24d77d23

SHA1
96f1d7117be9a376102844284d5719595773f73e

SHA256
53ee52945adb0fedc21da42677ac706ffe9f8d8c59ad686e186549d40718dd77

SHA512
3f699dc5cb550c3ccdafc9df631b78756b416bf9a22bd6a09053dedeaa17a8c1d4d92a3347a27ad1488eb4294efbbb12b6eed02c1a900a0681cee58331420fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat

Filesize
226B

MD5
06cac47e3ce5dda8d9dc07749199ff7f

SHA1
afc8c2560ce3d7836cfde582c74c978035b5310e

SHA256
7ae0cbc0cf4f7ac3b370a5698e488e2f96d2c3e242ba956ff39d176f4243e982

SHA512
0f912bd57bd8b0b168c16ccb235028ed36a29d2d95895dedbff3cd42d34a63f60eec0ebc79cbb668364c4de8d9d014f6c1d832bb7e06d846691ba7b3d5e887db

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat

Filesize
226B

MD5
bd69baddb6fbc9d7ca030c24bc816e2b

SHA1
aac4745a219d171451ad50d7d0d1b12b1bac1227

SHA256
53f38fd18c577d2ab876f5e1a25153c662622dc1290fe824f8c97c0301c69cdc

SHA512
277d6575199e803c2445afebc6d5f1b2dae89d8de23a734c13571f635e0f7fb3dc0025c107580d49af760b33b7f242cbe9fc09b3e33cb13c7533921f98536c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat

Filesize
226B

MD5
8fb35199030e82bdfef2b8511388d8ac

SHA1
d595c072859257f0e1329daad64c6d9584bdad42

SHA256
ebf258d1727d94809f57ea391b4f87fc6e2f3de8fdb57a4fd2ec2cb184893bb7

SHA512
5df8099faefe9bb4ecf13498ef9a36c53c6fc16331e1204f3de2c3544c4c5853d0d3ec9d6577929f3ae323a082ee834dfe1c1188014433852d97a1ed13b59011

Download Submit
C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat

Filesize
226B

MD5
6b13e09e1af84fce8f2921a4ca628803

SHA1
0ea7711e2d351ec7b3d100797d1a71effde6e00a

SHA256
3735cea83876e1b240bb6706d422048c84542519dce22ee462f3402851e42b42

SHA512
1de5eeca08aa71acb05b384ead3606af9e0c756cd62d04192fd102a52133f556eac7b19feec0520cace2a5b03af887224a08c9b33a015c45e949b59b573b32cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat

Filesize
226B

MD5
f353358aa45aee79fd3196475b59e771

SHA1
b1e2582a0630c23e222c1820774957b20c54b582

SHA256
6bb1dc257a34d28000261c4bdefd9d931167416388c82deb6791313b33b1b66e

SHA512
59325dace55c1f7aadc6d0d3c3c93353b62cf218a6e142ccfb0760d57f1c02b76ba33083f37969d61660ecfa54f7256fdadfcda3207eb5b90043a71f4095c8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat

Filesize
226B

MD5
361d8e54d45ee00f9f6004093ae7737a

SHA1
2c9ea95296d4d2869d86c169a9bb7497899eed74

SHA256
77a530512c2b854d52458ec00e81cf44c8f1f5f27c154dce4c6143802548dad6

SHA512
658618ec063f5e79be59ac3ff1102adb24d94946f82a3e42dcdc1f826b5fb1fa1ed8f2bd22702f17d1d923bdfd6bd96e31618adea5a462143a9351ac288c6c32

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/724-645-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1144-599-0x00000000013F0000-0x0000000001402000-memory.dmp

Filesize
72KB

Download
memory/2496-176-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-128-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-168-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-169-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-170-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-171-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-172-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-173-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-174-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-175-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-153-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-177-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-178-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-116-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-152-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-117-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-151-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-150-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-149-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-154-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-147-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-148-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-155-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-118-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-120-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-156-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-115-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-166-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-146-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-165-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-164-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-157-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-121-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-145-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-144-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-123-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-163-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-124-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-158-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-143-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-125-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-141-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-142-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-140-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-139-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-138-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-137-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-135-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-136-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-134-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-133-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-132-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-162-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-131-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-130-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-161-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-160-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-129-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-167-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-127-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-159-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2496-126-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3064-651-0x0000000000E70000-0x0000000000E82000-memory.dmp

Filesize
72KB

Download
memory/3288-319-0x0000000000E90000-0x0000000000EA2000-memory.dmp

Filesize
72KB

Download
memory/3372-623-0x00000000016C0000-0x00000000016D2000-memory.dmp

Filesize
72KB

Download
memory/3376-639-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/3512-285-0x0000000002D30000-0x0000000002D3C000-memory.dmp

Filesize
48KB

Download
memory/3512-284-0x0000000002BC0000-0x0000000002BCC000-memory.dmp

Filesize
48KB

Download
memory/3512-283-0x0000000002D20000-0x0000000002D2C000-memory.dmp

Filesize
48KB

Download
memory/3512-282-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/3512-281-0x0000000000A90000-0x0000000000BA0000-memory.dmp

Filesize
1.1MB

Download
memory/3788-612-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/4084-180-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/4084-181-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/4344-325-0x00000214B38C0000-0x00000214B3936000-memory.dmp

Filesize
472KB

Download
memory/4460-318-0x000002F5D8B30000-0x000002F5D8B52000-memory.dmp

Filesize
136KB

Download
memory/5052-606-0x0000000000F90000-0x0000000000FA2000-memory.dmp

Filesize
72KB

Download