dcrat | b2b93023bcfa81859c7944e3afdc1df6f3ae706cc9cdff74cbb63fb448b31cb4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2b93023bcfa81859c7944e3afdc1df6f3ae706cc9cdff74cbb63fb448b31cb4.exe
Size

1.3MB
MD5

2eb34545a441c20d8dd85c9bd8950475
SHA1

6bfbc7534270937aeb9046e34a97ccb1b83a2ce8
SHA256

b2b93023bcfa81859c7944e3afdc1df6f3ae706cc9cdff74cbb63fb448b31cb4
SHA512

9ab449c34a7ec1b5d7317e40886b212ae6fd48c485a859bb989e821ec6497f2d875ef33112c72f69b1cdea4b3286859b971e3261941a2e3d2fc0903f12c16b46
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4936	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	4936	schtasks.exe	70

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac35-284.dat	dcrat
behavioral1/files/0x000800000001ac35-285.dat	dcrat
behavioral1/memory/4564-286-0x0000000000C70000-0x0000000000D80000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac5d-308.dat	dcrat
behavioral1/files/0x000600000001ac5d-309.dat	dcrat
behavioral1/files/0x000600000001ac5d-597.dat	dcrat
behavioral1/files/0x000600000001ac5d-604.dat	dcrat
behavioral1/files/0x000600000001ac5d-609.dat	dcrat
behavioral1/files/0x000600000001ac5d-614.dat	dcrat
behavioral1/files/0x000600000001ac5d-620.dat	dcrat
behavioral1/files/0x000600000001ac5d-626.dat	dcrat
behavioral1/files/0x000600000001ac5d-632.dat	dcrat
behavioral1/files/0x000600000001ac5d-638.dat	dcrat
behavioral1/files/0x000600000001ac5d-643.dat	dcrat
behavioral1/files/0x000600000001ac5d-648.dat	dcrat
behavioral1/files/0x000600000001ac5d-653.dat	dcrat
behavioral1/files/0x000600000001ac5d-658.dat	dcrat

Executes dropped EXE 14 IoCs

pid	Process
4564	DllCommonsvc.exe
2256	spoolsv.exe
5024	spoolsv.exe
3456	spoolsv.exe
1804	spoolsv.exe
3112	spoolsv.exe
3908	spoolsv.exe
2452	spoolsv.exe
4688	spoolsv.exe
2280	spoolsv.exe
5056	spoolsv.exe
3220	spoolsv.exe
4128	spoolsv.exe
4608	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\HoloShell\pris\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\HoloShell\pris\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2052	schtasks.exe
5060	schtasks.exe
4644	schtasks.exe
4024	schtasks.exe
4460	schtasks.exe
4420	schtasks.exe
3120	schtasks.exe
5056	schtasks.exe
4236	schtasks.exe
3172	schtasks.exe
4076	schtasks.exe
2216	schtasks.exe
3388	schtasks.exe
1828	schtasks.exe
3456	schtasks.exe
2240	schtasks.exe
2264	schtasks.exe
4580	schtasks.exe
4752	schtasks.exe
4748	schtasks.exe
3112	schtasks.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	b2b93023bcfa81859c7944e3afdc1df6f3ae706cc9cdff74cbb63fb448b31cb4.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4564	DllCommonsvc.exe
4564	DllCommonsvc.exe
4564	DllCommonsvc.exe
4648	powershell.exe
4720	powershell.exe
4704	powershell.exe
4872	powershell.exe
4388	powershell.exe
4364	powershell.exe
1212	powershell.exe
360	powershell.exe
2256	spoolsv.exe
360	powershell.exe
4648	powershell.exe
4388	powershell.exe
4720	powershell.exe
4872	powershell.exe
1212	powershell.exe
4704	powershell.exe
4364	powershell.exe
360	powershell.exe
4388	powershell.exe
4648	powershell.exe
4872	powershell.exe
1212	powershell.exe
4720	powershell.exe
4704	powershell.exe
4364	powershell.exe
5024	spoolsv.exe
3456	spoolsv.exe
1804	spoolsv.exe
3112	spoolsv.exe
3908	spoolsv.exe
2452	spoolsv.exe
4688	spoolsv.exe
2280	spoolsv.exe
5056	spoolsv.exe
3220	spoolsv.exe
4128	spoolsv.exe
4608	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4564	DllCommonsvc.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	2256	spoolsv.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	360	powershell.exe
Token: SeIncreaseQuotaPrivilege	4648	powershell.exe
Token: SeSecurityPrivilege	4648	powershell.exe
Token: SeTakeOwnershipPrivilege	4648	powershell.exe
Token: SeLoadDriverPrivilege	4648	powershell.exe
Token: SeSystemProfilePrivilege	4648	powershell.exe
Token: SeSystemtimePrivilege	4648	powershell.exe
Token: SeProfSingleProcessPrivilege	4648	powershell.exe
Token: SeIncBasePriorityPrivilege	4648	powershell.exe
Token: SeCreatePagefilePrivilege	4648	powershell.exe
Token: SeBackupPrivilege	4648	powershell.exe
Token: SeRestorePrivilege	4648	powershell.exe
Token: SeShutdownPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeSystemEnvironmentPrivilege	4648	powershell.exe
Token: SeRemoteShutdownPrivilege	4648	powershell.exe
Token: SeUndockPrivilege	4648	powershell.exe
Token: SeManageVolumePrivilege	4648	powershell.exe
Token: 33	4648	powershell.exe
Token: 34	4648	powershell.exe
Token: 35	4648	powershell.exe
Token: 36	4648	powershell.exe
Token: SeIncreaseQuotaPrivilege	4388	powershell.exe
Token: SeSecurityPrivilege	4388	powershell.exe
Token: SeTakeOwnershipPrivilege	4388	powershell.exe
Token: SeLoadDriverPrivilege	4388	powershell.exe
Token: SeSystemProfilePrivilege	4388	powershell.exe
Token: SeSystemtimePrivilege	4388	powershell.exe
Token: SeProfSingleProcessPrivilege	4388	powershell.exe
Token: SeIncBasePriorityPrivilege	4388	powershell.exe
Token: SeCreatePagefilePrivilege	4388	powershell.exe
Token: SeBackupPrivilege	4388	powershell.exe
Token: SeRestorePrivilege	4388	powershell.exe
Token: SeShutdownPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeSystemEnvironmentPrivilege	4388	powershell.exe
Token: SeRemoteShutdownPrivilege	4388	powershell.exe
Token: SeUndockPrivilege	4388	powershell.exe
Token: SeManageVolumePrivilege	4388	powershell.exe
Token: 33	4388	powershell.exe
Token: 34	4388	powershell.exe
Token: 35	4388	powershell.exe
Token: 36	4388	powershell.exe
Token: SeIncreaseQuotaPrivilege	360	powershell.exe
Token: SeSecurityPrivilege	360	powershell.exe
Token: SeTakeOwnershipPrivilege	360	powershell.exe
Token: SeLoadDriverPrivilege	360	powershell.exe
Token: SeSystemProfilePrivilege	360	powershell.exe
Token: SeSystemtimePrivilege	360	powershell.exe
Token: SeProfSingleProcessPrivilege	360	powershell.exe
Token: SeIncBasePriorityPrivilege	360	powershell.exe
Token: SeCreatePagefilePrivilege	360	powershell.exe
Token: SeBackupPrivilege	360	powershell.exe
Token: SeRestorePrivilege	360	powershell.exe
Token: SeShutdownPrivilege	360	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 3080	4876	b2b93023bcfa81859c7944e3afdc1df6f3ae706cc9cdff74cbb63fb448b31cb4.exe	66
PID 4876 wrote to memory of 3080	4876	b2b93023bcfa81859c7944e3afdc1df6f3ae706cc9cdff74cbb63fb448b31cb4.exe	66
PID 4876 wrote to memory of 3080	4876	b2b93023bcfa81859c7944e3afdc1df6f3ae706cc9cdff74cbb63fb448b31cb4.exe	66
PID 3080 wrote to memory of 4500	3080	WScript.exe	67
PID 3080 wrote to memory of 4500	3080	WScript.exe	67
PID 3080 wrote to memory of 4500	3080	WScript.exe	67
PID 4500 wrote to memory of 4564	4500	cmd.exe	69
PID 4500 wrote to memory of 4564	4500	cmd.exe	69
PID 4564 wrote to memory of 4648	4564	DllCommonsvc.exe	92
PID 4564 wrote to memory of 4648	4564	DllCommonsvc.exe	92
PID 4564 wrote to memory of 4704	4564	DllCommonsvc.exe	95
PID 4564 wrote to memory of 4704	4564	DllCommonsvc.exe	95
PID 4564 wrote to memory of 4720	4564	DllCommonsvc.exe	94
PID 4564 wrote to memory of 4720	4564	DllCommonsvc.exe	94
PID 4564 wrote to memory of 4872	4564	DllCommonsvc.exe	107
PID 4564 wrote to memory of 4872	4564	DllCommonsvc.exe	107
PID 4564 wrote to memory of 4388	4564	DllCommonsvc.exe	105
PID 4564 wrote to memory of 4388	4564	DllCommonsvc.exe	105
PID 4564 wrote to memory of 4364	4564	DllCommonsvc.exe	96
PID 4564 wrote to memory of 4364	4564	DllCommonsvc.exe	96
PID 4564 wrote to memory of 360	4564	DllCommonsvc.exe	97
PID 4564 wrote to memory of 360	4564	DllCommonsvc.exe	97
PID 4564 wrote to memory of 1212	4564	DllCommonsvc.exe	101
PID 4564 wrote to memory of 1212	4564	DllCommonsvc.exe	101
PID 4564 wrote to memory of 2256	4564	DllCommonsvc.exe	102
PID 4564 wrote to memory of 2256	4564	DllCommonsvc.exe	102
PID 2256 wrote to memory of 4268	2256	spoolsv.exe	110
PID 2256 wrote to memory of 4268	2256	spoolsv.exe	110
PID 4268 wrote to memory of 3080	4268	cmd.exe	112
PID 4268 wrote to memory of 3080	4268	cmd.exe	112
PID 4268 wrote to memory of 5024	4268	cmd.exe	113
PID 4268 wrote to memory of 5024	4268	cmd.exe	113
PID 5024 wrote to memory of 3264	5024	spoolsv.exe	114
PID 5024 wrote to memory of 3264	5024	spoolsv.exe	114
PID 3264 wrote to memory of 4156	3264	cmd.exe	116
PID 3264 wrote to memory of 4156	3264	cmd.exe	116
PID 3264 wrote to memory of 3456	3264	cmd.exe	117
PID 3264 wrote to memory of 3456	3264	cmd.exe	117
PID 3456 wrote to memory of 4676	3456	spoolsv.exe	118
PID 3456 wrote to memory of 4676	3456	spoolsv.exe	118
PID 4676 wrote to memory of 4836	4676	cmd.exe	120
PID 4676 wrote to memory of 4836	4676	cmd.exe	120
PID 4676 wrote to memory of 1804	4676	cmd.exe	121
PID 4676 wrote to memory of 1804	4676	cmd.exe	121
PID 1804 wrote to memory of 5076	1804	spoolsv.exe	122
PID 1804 wrote to memory of 5076	1804	spoolsv.exe	122
PID 5076 wrote to memory of 4808	5076	cmd.exe	124
PID 5076 wrote to memory of 4808	5076	cmd.exe	124
PID 5076 wrote to memory of 3112	5076	cmd.exe	125
PID 5076 wrote to memory of 3112	5076	cmd.exe	125
PID 3112 wrote to memory of 1780	3112	spoolsv.exe	126
PID 3112 wrote to memory of 1780	3112	spoolsv.exe	126
PID 1780 wrote to memory of 4352	1780	cmd.exe	128
PID 1780 wrote to memory of 4352	1780	cmd.exe	128
PID 1780 wrote to memory of 3908	1780	cmd.exe	129
PID 1780 wrote to memory of 3908	1780	cmd.exe	129
PID 3908 wrote to memory of 1084	3908	spoolsv.exe	130
PID 3908 wrote to memory of 1084	3908	spoolsv.exe	130
PID 1084 wrote to memory of 4916	1084	cmd.exe	132
PID 1084 wrote to memory of 4916	1084	cmd.exe	132
PID 1084 wrote to memory of 2452	1084	cmd.exe	133
PID 1084 wrote to memory of 2452	1084	cmd.exe	133
PID 2452 wrote to memory of 4888	2452	spoolsv.exe	134
PID 2452 wrote to memory of 4888	2452	spoolsv.exe	134

C:\Users\Admin\AppData\Local\Temp\b2b93023bcfa81859c7944e3afdc1df6f3ae706cc9cdff74cbb63fb448b31cb4.exe
"C:\Users\Admin\AppData\Local\Temp\b2b93023bcfa81859c7944e3afdc1df6f3ae706cc9cdff74cbb63fb448b31cb4.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\HoloShell\pris\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
    - - C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3080
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4156
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4836
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4808
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sT6xLp4JQ8.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4352
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4916
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"
        18⤵
        
        PID:4888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2436
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat"
        20⤵
        
        PID:3780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4812
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"
        22⤵
        
        PID:4648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3028
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat"
        24⤵
        
        PID:4956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1400
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat"
        26⤵
        
        PID:4240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4980
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat"
        28⤵
        
        PID:5024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:5060
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        29⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat"
        30⤵
        
        PID:2644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\HoloShell\pris\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\HoloShell\pris\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\HoloShell\pris\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Public\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a941e5b8922373f731cd59d81fb3e6a0

SHA1
7045ef5de8fbffd7a074f33cb1ca1bc5939d15cf

SHA256
3efee5bf7c6e258841f58fa491b0b111f832f3d0c506cbf1de3fd8a25d59c065

SHA512
3b7af6ed073fedd39d1101bf60fd9ed0f20c43ec07f54b7dee2644badca85d2b19d5b6ace9c8ffa92e08b445b3b642aad56c13e15bf91fc25dc93b5763ccd3d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a941e5b8922373f731cd59d81fb3e6a0

SHA1
7045ef5de8fbffd7a074f33cb1ca1bc5939d15cf

SHA256
3efee5bf7c6e258841f58fa491b0b111f832f3d0c506cbf1de3fd8a25d59c065

SHA512
3b7af6ed073fedd39d1101bf60fd9ed0f20c43ec07f54b7dee2644badca85d2b19d5b6ace9c8ffa92e08b445b3b642aad56c13e15bf91fc25dc93b5763ccd3d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a941e5b8922373f731cd59d81fb3e6a0

SHA1
7045ef5de8fbffd7a074f33cb1ca1bc5939d15cf

SHA256
3efee5bf7c6e258841f58fa491b0b111f832f3d0c506cbf1de3fd8a25d59c065

SHA512
3b7af6ed073fedd39d1101bf60fd9ed0f20c43ec07f54b7dee2644badca85d2b19d5b6ace9c8ffa92e08b445b3b642aad56c13e15bf91fc25dc93b5763ccd3d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a941e5b8922373f731cd59d81fb3e6a0

SHA1
7045ef5de8fbffd7a074f33cb1ca1bc5939d15cf

SHA256
3efee5bf7c6e258841f58fa491b0b111f832f3d0c506cbf1de3fd8a25d59c065

SHA512
3b7af6ed073fedd39d1101bf60fd9ed0f20c43ec07f54b7dee2644badca85d2b19d5b6ace9c8ffa92e08b445b3b642aad56c13e15bf91fc25dc93b5763ccd3d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ec0c09f3b514676879be66433e0b0fc

SHA1
3b767d2f0f745deafdfe501df5d7b7d8fcbabf01

SHA256
c3878a4cc3fee2a64465f9b25e7f20dbaedfa240584f05e16597505dc7150467

SHA512
f4791a875a8d8074c5473ad4021c609c8210209d981fd59a43c68845989707dde7a08506abcc85571a5b81714fa3f11cd8206650b7a45c012347dd86962986f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ec0c09f3b514676879be66433e0b0fc

SHA1
3b767d2f0f745deafdfe501df5d7b7d8fcbabf01

SHA256
c3878a4cc3fee2a64465f9b25e7f20dbaedfa240584f05e16597505dc7150467

SHA512
f4791a875a8d8074c5473ad4021c609c8210209d981fd59a43c68845989707dde7a08506abcc85571a5b81714fa3f11cd8206650b7a45c012347dd86962986f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bd755630b20110992c2b52fbfaa2eede

SHA1
68f030e0ffae7763660c9a27a33ed705ec74d2a6

SHA256
6be4920cd4a412da0f040dac4e6d865d3fc1f63355dba535d83c368d83bebeba

SHA512
e0c0903f6cb64f854bb6afe7af7025b5fb8ae17ddde37d30cbab84f13fb67af5197580551976f50e5be1603771108b2db8c8dfbb91abbf6e77aa1a80398c31d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat

Filesize
183B

MD5
aad1408dac50270d0435ad3ef1392c6e

SHA1
9624ac5a706cdfe949ccd702b705f0e6728af8f5

SHA256
c07e29051e09bef1c1dea111c4131ba5d0919477ea462cfd08676c8006763e4b

SHA512
0221df9f7103ab1cba1cd8de28947dbf5c539c2c7525c37e842ad1bfe581d708cd097fc3e40ce897e6a26e66568e541e831b10ac3ba5145351640f6bd4162ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat

Filesize
183B

MD5
2b402e879b767c2892f2b1a933c301e8

SHA1
d12890b7572983a0419238ca23ecf086ef339c23

SHA256
51abcb8eac37f7699546fd4768719759428b03b7b0794d441faf555900ec0214

SHA512
60752b72b3e58161afa28293d985769b82320d2be53dd0dc5a1ecd25d6d3a6730059626a36a9af759654184cc22b114d0dbca736bfead3b2fab940758ea616c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat

Filesize
183B

MD5
c80a191ede5439e5eb45bace34816943

SHA1
f39ae33f29a498c9cb32fa47ed80c01247f3fc52

SHA256
91f46782ef337f6f27a8dcb08fde47043ad95928310ad0aa3b30640fa04c265c

SHA512
49415d020abef22b3b04de3fd7025f61c2f9cee9fc5875a150bec8557f3ce51ae6c223575e9820c5e86648d79548c7b309f6a9031bb746f6ff0b5f2e1890b2f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat

Filesize
183B

MD5
4113df52e029cda1ea4d4fe3292895c8

SHA1
9ea258b08a9d56dbb7dff933f1956773c72652f0

SHA256
ae63d7f2365737f0737dbab881afbcd8aa2ef2e9452af15e205305455287d944

SHA512
39c673e598fae1e310974d7f3245279f9e7750dc1161f1bdbf002b94049d3496047a1cc07b69164babc6a9c71086e4a1fca4447cba82cc270af10a6ee662a27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat

Filesize
183B

MD5
f9a484be0ec88ab4ebceaee6c83ce8a7

SHA1
113ebc2d4118dfe1d64079e4d649467e44fb35ac

SHA256
bbc138fed681c215ce6bb5d9272e3c2df45bce2073b5e9b100fc37de80461188

SHA512
af40dc383eb13130b29853ad5c6e537d8d48c07eeff5f80d96fc764058f4a82731dcdecd7cbb1e3e4c6c598f6aaac0ddfe61dc9ee9bbd14076ba866cccd72f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat

Filesize
183B

MD5
f9a484be0ec88ab4ebceaee6c83ce8a7

SHA1
113ebc2d4118dfe1d64079e4d649467e44fb35ac

SHA256
bbc138fed681c215ce6bb5d9272e3c2df45bce2073b5e9b100fc37de80461188

SHA512
af40dc383eb13130b29853ad5c6e537d8d48c07eeff5f80d96fc764058f4a82731dcdecd7cbb1e3e4c6c598f6aaac0ddfe61dc9ee9bbd14076ba866cccd72f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat

Filesize
183B

MD5
f5c390956fe1130f9e2cf5bef752affd

SHA1
423165ebcf1a06d8d727022647e906fcab6423da

SHA256
26125d9034f5b8c10d588aa2f71bddf2b87e58a69fed804142a846832654708a

SHA512
6f9aa952e8194022d29e3587951fbeada37705b748cafa500f8fbc843c791d2be6fdd8f491601a40b6df651ec86b2583ba9bd7662529c318458ac22d2a0b555f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat

Filesize
183B

MD5
32bc16af2857f17138577cd76a44b206

SHA1
6d2303eddfa93c64c0506b20db677815679162f5

SHA256
54715d579fd9eccf32937997bda779d8a0b1cf121fad2599a00c20430119c83c

SHA512
950253fd78eceb11f3eafc2daf3b9180e1c354565a164ba0511e73c83ffefd940a1ec7a583edf7f804a1b12e63340e5b530768b239bea5802e4883bccce73430

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat

Filesize
183B

MD5
72a0b7dd382dbbe02c60cb508dc1326a

SHA1
7f2c21a7158470b4ff2fefa0b1baaa8ae1106fdc

SHA256
0137d248b91f2e265be047affa4387397000a081932945ff2bdd86cb625e2f13

SHA512
fa88e9e792b1f73996f42a63b7dd44ac32014746c1baed0aca8725253bc791e3520aa99c31de6aa6c172ad10503fd2836fe34dab2aadf705b85567994c4c6f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat

Filesize
183B

MD5
ac7631aa457a2c7505ff514d2daf8a2c

SHA1
3a93ae657ac5daa9ab086c2927dbc128d7f5d9d2

SHA256
6ec4acc8674a0e5b087a1701552dd33f61ebb519fb09d43e22ad390564cd8051

SHA512
dcefaf88dc4864de96785179af87299166de1631db97750d9a4f62fcf41bdb634658cf977aab16d8ceeb7e4b5baac7b1843f5362fc43066d8893d34be8fb2ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

Filesize
183B

MD5
02da8d26fd65a986b3f5fbb1fa94d34e

SHA1
f742b7ed1a17ea686df4aaaae6063b4ae6afc828

SHA256
9a872326bd694d830188402284dac84483c3258c1aefb69c7ea17a6ca3eeac45

SHA512
bb7769beada32e02efad1f4f234e5fa93fca52ef1d1ac4d9919bfd16e9c7ce99fe4cae6b301ce9084a3e41544d359ba9a05f9f59e470b5a1d83f7d40c3f240e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sT6xLp4JQ8.bat

Filesize
183B

MD5
c546e8e6c61dcbcee95968a354a03a9e

SHA1
1c6be1ca52c5b903aad554b49da744eb3a817daf

SHA256
073a3c07f3587115d63de17c009adc7509bceed39121f47163fef8aede528a26

SHA512
7ea810dbbc7a8e22e9f00ac635f1c2db81055986328f192fe88a72d3abf16dbe0ae07d2a530e026f545c8192ad87b7e31ca721b05dfd8d42aec100c3b0377928

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat

Filesize
183B

MD5
11170df7222b4e65585dc5a8a5a2a913

SHA1
6f51756fe1ec54f0b417564d42b523606a9a6adf

SHA256
c249b3c21c70b721b86e6899c311cab9d43f58defe7bb6d49972ba9e30adf6fc

SHA512
26129edd87784be59f3fde61f4ae1678ce02604a4603f721c88875429f420af9418b782bbc57e300d872a19a265612605310c1d0f6acefe482a9c443ce216e69

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/360-347-0x0000019DAD230000-0x0000019DAD2A6000-memory.dmp

Filesize
472KB

Download
memory/2256-336-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/2452-627-0x0000000001690000-0x00000000016A2000-memory.dmp

Filesize
72KB

Download
memory/3080-186-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3080-185-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3112-615-0x0000000001330000-0x0000000001342000-memory.dmp

Filesize
72KB

Download
memory/3908-621-0x0000000000D90000-0x0000000000DA2000-memory.dmp

Filesize
72KB

Download
memory/4564-289-0x0000000002EF0000-0x0000000002EFC000-memory.dmp

Filesize
48KB

Download
memory/4564-290-0x0000000002F00000-0x0000000002F0C000-memory.dmp

Filesize
48KB

Download
memory/4564-288-0x000000001B8F0000-0x000000001B8FC000-memory.dmp

Filesize
48KB

Download
memory/4564-287-0x0000000002EE0000-0x0000000002EF2000-memory.dmp

Filesize
72KB

Download
memory/4564-286-0x0000000000C70000-0x0000000000D80000-memory.dmp

Filesize
1.1MB

Download
memory/4648-335-0x0000029929E00000-0x0000029929E22000-memory.dmp

Filesize
136KB

Download
memory/4688-633-0x0000000001390000-0x00000000013A2000-memory.dmp

Filesize
72KB

Download
memory/4876-157-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-146-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-174-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-172-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-171-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-170-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-121-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-169-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-168-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-120-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-167-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-166-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-165-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-164-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-163-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-175-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-162-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-176-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-161-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-160-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-122-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-159-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-177-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-158-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-178-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-156-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-155-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-154-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-153-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-152-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-151-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-150-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-149-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-148-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-183-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-147-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-173-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-145-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-123-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-144-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-143-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-179-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-142-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-180-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-141-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-140-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-181-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-139-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-138-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-182-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-137-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-136-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-125-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-135-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-126-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-134-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-133-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-132-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-131-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-130-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-129-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4876-128-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/5024-599-0x0000000000EC0000-0x0000000000ED2000-memory.dmp

Filesize
72KB

Download