dcrat | af5e876ace38fd1d3f05ca113eabd6b9ddc99f1c15d17cd7a618ff5f50ac63ce

Analysis

max time kernel
142s
max time network
139s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01-11-2022 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af5e876ace38fd1d3f05ca113eabd6b9ddc99f1c15d17cd7a618ff5f50ac63ce.exe
Size

1.3MB
MD5

367b5a0fb9d44858b0a0f1204aa84a78
SHA1

9664d7346eaf856134c37171b0f1403e404787d8
SHA256

af5e876ace38fd1d3f05ca113eabd6b9ddc99f1c15d17cd7a618ff5f50ac63ce
SHA512

8c0b463596d4e0ac550197ea7b20b5f7dcbb2e72980b2d3fae35984e7f9205386356cd80dd7c935c30a82a1f9ea0bbaae3f7cf21775b5ff1e24df13c2077e0a7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4668	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001abec-283.dat	dcrat
behavioral1/files/0x000800000001abec-282.dat	dcrat
behavioral1/memory/3200-284-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat
behavioral1/files/0x000600000001abf5-509.dat	dcrat
behavioral1/files/0x000600000001abf5-510.dat	dcrat
behavioral1/files/0x000600000001abf5-543.dat	dcrat
behavioral1/files/0x000600000001abf5-550.dat	dcrat
behavioral1/files/0x000600000001abf5-555.dat	dcrat
behavioral1/files/0x000600000001abf5-560.dat	dcrat
behavioral1/files/0x000600000001abf5-565.dat	dcrat
behavioral1/files/0x000600000001abf5-570.dat	dcrat
behavioral1/files/0x000600000001abf5-576.dat	dcrat
behavioral1/files/0x000600000001abf5-582.dat	dcrat
behavioral1/files/0x000600000001abf5-587.dat	dcrat
behavioral1/files/0x000600000001abf5-593.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
3200	DllCommonsvc.exe
5012	SearchUI.exe
3872	SearchUI.exe
4180	SearchUI.exe
4916	SearchUI.exe
4880	SearchUI.exe
4140	SearchUI.exe
5052	SearchUI.exe
1164	SearchUI.exe
3964	SearchUI.exe
4132	SearchUI.exe
4804	SearchUI.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\dab4d89cac03ec	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\SearchUI.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\SearchUI.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\SearchUI.exe	DllCommonsvc.exe
File created	C:\Windows\TAPI\dab4d89cac03ec	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4728	schtasks.exe
3308	schtasks.exe
3900	schtasks.exe
3348	schtasks.exe
4976	schtasks.exe
4884	schtasks.exe
4864	schtasks.exe
4960	schtasks.exe
3188	schtasks.exe
4484	schtasks.exe
4520	schtasks.exe
4828	schtasks.exe
4508	schtasks.exe
2800	schtasks.exe
3264	schtasks.exe
4896	schtasks.exe
4424	schtasks.exe
3300	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	af5e876ace38fd1d3f05ca113eabd6b9ddc99f1c15d17cd7a618ff5f50ac63ce.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	SearchUI.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
3200	DllCommonsvc.exe
3200	DllCommonsvc.exe
3200	DllCommonsvc.exe
3200	DllCommonsvc.exe
3200	DllCommonsvc.exe
396	powershell.exe
4996	powershell.exe
4876	powershell.exe
676	powershell.exe
596	powershell.exe
1260	powershell.exe
1860	powershell.exe
676	powershell.exe
596	powershell.exe
4876	powershell.exe
1260	powershell.exe
4996	powershell.exe
596	powershell.exe
676	powershell.exe
4996	powershell.exe
396	powershell.exe
1860	powershell.exe
1260	powershell.exe
4876	powershell.exe
396	powershell.exe
1860	powershell.exe
5012	SearchUI.exe
3872	SearchUI.exe
4180	SearchUI.exe
4916	SearchUI.exe
4880	SearchUI.exe
4140	SearchUI.exe
5052	SearchUI.exe
1164	SearchUI.exe
3964	SearchUI.exe
4132	SearchUI.exe
4804	SearchUI.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3200	DllCommonsvc.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeIncreaseQuotaPrivilege	596	powershell.exe
Token: SeSecurityPrivilege	596	powershell.exe
Token: SeTakeOwnershipPrivilege	596	powershell.exe
Token: SeLoadDriverPrivilege	596	powershell.exe
Token: SeSystemProfilePrivilege	596	powershell.exe
Token: SeSystemtimePrivilege	596	powershell.exe
Token: SeProfSingleProcessPrivilege	596	powershell.exe
Token: SeIncBasePriorityPrivilege	596	powershell.exe
Token: SeCreatePagefilePrivilege	596	powershell.exe
Token: SeBackupPrivilege	596	powershell.exe
Token: SeRestorePrivilege	596	powershell.exe
Token: SeShutdownPrivilege	596	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeSystemEnvironmentPrivilege	596	powershell.exe
Token: SeRemoteShutdownPrivilege	596	powershell.exe
Token: SeUndockPrivilege	596	powershell.exe
Token: SeManageVolumePrivilege	596	powershell.exe
Token: 33	596	powershell.exe
Token: 34	596	powershell.exe
Token: 35	596	powershell.exe
Token: 36	596	powershell.exe
Token: SeIncreaseQuotaPrivilege	676	powershell.exe
Token: SeSecurityPrivilege	676	powershell.exe
Token: SeTakeOwnershipPrivilege	676	powershell.exe
Token: SeLoadDriverPrivilege	676	powershell.exe
Token: SeSystemProfilePrivilege	676	powershell.exe
Token: SeSystemtimePrivilege	676	powershell.exe
Token: SeProfSingleProcessPrivilege	676	powershell.exe
Token: SeIncBasePriorityPrivilege	676	powershell.exe
Token: SeCreatePagefilePrivilege	676	powershell.exe
Token: SeBackupPrivilege	676	powershell.exe
Token: SeRestorePrivilege	676	powershell.exe
Token: SeShutdownPrivilege	676	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeSystemEnvironmentPrivilege	676	powershell.exe
Token: SeRemoteShutdownPrivilege	676	powershell.exe
Token: SeUndockPrivilege	676	powershell.exe
Token: SeManageVolumePrivilege	676	powershell.exe
Token: 33	676	powershell.exe
Token: 34	676	powershell.exe
Token: 35	676	powershell.exe
Token: 36	676	powershell.exe
Token: SeIncreaseQuotaPrivilege	4996	powershell.exe
Token: SeSecurityPrivilege	4996	powershell.exe
Token: SeTakeOwnershipPrivilege	4996	powershell.exe
Token: SeLoadDriverPrivilege	4996	powershell.exe
Token: SeSystemProfilePrivilege	4996	powershell.exe
Token: SeSystemtimePrivilege	4996	powershell.exe
Token: SeProfSingleProcessPrivilege	4996	powershell.exe
Token: SeIncBasePriorityPrivilege	4996	powershell.exe
Token: SeCreatePagefilePrivilege	4996	powershell.exe
Token: SeBackupPrivilege	4996	powershell.exe
Token: SeRestorePrivilege	4996	powershell.exe
Token: SeShutdownPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeSystemEnvironmentPrivilege	4996	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 5100	3040	af5e876ace38fd1d3f05ca113eabd6b9ddc99f1c15d17cd7a618ff5f50ac63ce.exe	66
PID 3040 wrote to memory of 5100	3040	af5e876ace38fd1d3f05ca113eabd6b9ddc99f1c15d17cd7a618ff5f50ac63ce.exe	66
PID 3040 wrote to memory of 5100	3040	af5e876ace38fd1d3f05ca113eabd6b9ddc99f1c15d17cd7a618ff5f50ac63ce.exe	66
PID 5100 wrote to memory of 4272	5100	WScript.exe	67
PID 5100 wrote to memory of 4272	5100	WScript.exe	67
PID 5100 wrote to memory of 4272	5100	WScript.exe	67
PID 4272 wrote to memory of 3200	4272	cmd.exe	69
PID 4272 wrote to memory of 3200	4272	cmd.exe	69
PID 3200 wrote to memory of 4996	3200	DllCommonsvc.exe	89
PID 3200 wrote to memory of 4996	3200	DllCommonsvc.exe	89
PID 3200 wrote to memory of 4876	3200	DllCommonsvc.exe	90
PID 3200 wrote to memory of 4876	3200	DllCommonsvc.exe	90
PID 3200 wrote to memory of 396	3200	DllCommonsvc.exe	91
PID 3200 wrote to memory of 396	3200	DllCommonsvc.exe	91
PID 3200 wrote to memory of 676	3200	DllCommonsvc.exe	93
PID 3200 wrote to memory of 676	3200	DllCommonsvc.exe	93
PID 3200 wrote to memory of 596	3200	DllCommonsvc.exe	102
PID 3200 wrote to memory of 596	3200	DllCommonsvc.exe	102
PID 3200 wrote to memory of 1260	3200	DllCommonsvc.exe	96
PID 3200 wrote to memory of 1260	3200	DllCommonsvc.exe	96
PID 3200 wrote to memory of 1860	3200	DllCommonsvc.exe	99
PID 3200 wrote to memory of 1860	3200	DllCommonsvc.exe	99
PID 3200 wrote to memory of 5012	3200	DllCommonsvc.exe	104
PID 3200 wrote to memory of 5012	3200	DllCommonsvc.exe	104
PID 5012 wrote to memory of 1040	5012	SearchUI.exe	105
PID 5012 wrote to memory of 1040	5012	SearchUI.exe	105
PID 1040 wrote to memory of 4544	1040	cmd.exe	107
PID 1040 wrote to memory of 4544	1040	cmd.exe	107
PID 1040 wrote to memory of 3872	1040	cmd.exe	108
PID 1040 wrote to memory of 3872	1040	cmd.exe	108
PID 3872 wrote to memory of 4176	3872	SearchUI.exe	109
PID 3872 wrote to memory of 4176	3872	SearchUI.exe	109
PID 4176 wrote to memory of 3996	4176	cmd.exe	111
PID 4176 wrote to memory of 3996	4176	cmd.exe	111
PID 4176 wrote to memory of 4180	4176	cmd.exe	112
PID 4176 wrote to memory of 4180	4176	cmd.exe	112
PID 4180 wrote to memory of 3708	4180	SearchUI.exe	113
PID 4180 wrote to memory of 3708	4180	SearchUI.exe	113
PID 3708 wrote to memory of 3168	3708	cmd.exe	115
PID 3708 wrote to memory of 3168	3708	cmd.exe	115
PID 3708 wrote to memory of 4916	3708	cmd.exe	116
PID 3708 wrote to memory of 4916	3708	cmd.exe	116
PID 4916 wrote to memory of 2728	4916	SearchUI.exe	117
PID 4916 wrote to memory of 2728	4916	SearchUI.exe	117
PID 2728 wrote to memory of 4900	2728	cmd.exe	119
PID 2728 wrote to memory of 4900	2728	cmd.exe	119
PID 2728 wrote to memory of 4880	2728	cmd.exe	120
PID 2728 wrote to memory of 4880	2728	cmd.exe	120
PID 4880 wrote to memory of 1160	4880	SearchUI.exe	121
PID 4880 wrote to memory of 1160	4880	SearchUI.exe	121
PID 1160 wrote to memory of 2428	1160	cmd.exe	123
PID 1160 wrote to memory of 2428	1160	cmd.exe	123
PID 1160 wrote to memory of 4140	1160	cmd.exe	124
PID 1160 wrote to memory of 4140	1160	cmd.exe	124
PID 4140 wrote to memory of 332	4140	SearchUI.exe	125
PID 4140 wrote to memory of 332	4140	SearchUI.exe	125
PID 332 wrote to memory of 2308	332	cmd.exe	127
PID 332 wrote to memory of 2308	332	cmd.exe	127
PID 332 wrote to memory of 5052	332	cmd.exe	128
PID 332 wrote to memory of 5052	332	cmd.exe	128
PID 5052 wrote to memory of 2172	5052	SearchUI.exe	129
PID 5052 wrote to memory of 2172	5052	SearchUI.exe	129
PID 2172 wrote to memory of 1836	2172	cmd.exe	131
PID 2172 wrote to memory of 1836	2172	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\af5e876ace38fd1d3f05ca113eabd6b9ddc99f1c15d17cd7a618ff5f50ac63ce.exe
"C:\Users\Admin\AppData\Local\Temp\af5e876ace38fd1d3f05ca113eabd6b9ddc99f1c15d17cd7a618ff5f50ac63ce.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
    - - C:\Program Files (x86)\Windows Media Player\SearchUI.exe
        
        "C:\Program Files (x86)\Windows Media Player\SearchUI.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5012
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4544
        
        C:\Program Files (x86)\Windows Media Player\SearchUI.exe
        
        "C:\Program Files (x86)\Windows Media Player\SearchUI.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Re4gxnF4du.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3996
        
        C:\Program Files (x86)\Windows Media Player\SearchUI.exe
        
        "C:\Program Files (x86)\Windows Media Player\SearchUI.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3168
        
        C:\Program Files (x86)\Windows Media Player\SearchUI.exe
        
        "C:\Program Files (x86)\Windows Media Player\SearchUI.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4900
        
        C:\Program Files (x86)\Windows Media Player\SearchUI.exe
        
        "C:\Program Files (x86)\Windows Media Player\SearchUI.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFE2FgvhS1.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2428
        
        C:\Program Files (x86)\Windows Media Player\SearchUI.exe
        
        "C:\Program Files (x86)\Windows Media Player\SearchUI.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2308
        
        C:\Program Files (x86)\Windows Media Player\SearchUI.exe
        
        "C:\Program Files (x86)\Windows Media Player\SearchUI.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1836
        
        C:\Program Files (x86)\Windows Media Player\SearchUI.exe
        
        "C:\Program Files (x86)\Windows Media Player\SearchUI.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"
        20⤵
        
        PID:1896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:932
        
        C:\Program Files (x86)\Windows Media Player\SearchUI.exe
        
        "C:\Program Files (x86)\Windows Media Player\SearchUI.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"
        22⤵
        
        PID:728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4996
        
        C:\Program Files (x86)\Windows Media Player\SearchUI.exe
        
        "C:\Program Files (x86)\Windows Media Player\SearchUI.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
        24⤵
        
        PID:3440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:444
        
        C:\Program Files (x86)\Windows Media Player\SearchUI.exe
        
        "C:\Program Files (x86)\Windows Media Player\SearchUI.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\TAPI\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\SearchUI.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Media Player\SearchUI.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Media Player\SearchUI.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Media Player\SearchUI.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Media Player\SearchUI.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Media Player\SearchUI.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Media Player\SearchUI.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Media Player\SearchUI.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Media Player\SearchUI.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Media Player\SearchUI.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Media Player\SearchUI.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Media Player\SearchUI.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchUI.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
460e43c96adeb94fe04317c2fa20bd5d

SHA1
1d85b563027489ad5d342ac1750daea76eae3966

SHA256
36fe8f0f2bd5e84bb9e877f07121898f728ba89b93c148c7539d14a6bfebe278

SHA512
501e03b45e1c81ebfc1eecc95eb1d47aac79c264ba43f52ba7c050461d7fb833a22c8a646b3a29e8a24561999dc4210e15ac4b37d1eb0fdb831315e3828ea559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
460e43c96adeb94fe04317c2fa20bd5d

SHA1
1d85b563027489ad5d342ac1750daea76eae3966

SHA256
36fe8f0f2bd5e84bb9e877f07121898f728ba89b93c148c7539d14a6bfebe278

SHA512
501e03b45e1c81ebfc1eecc95eb1d47aac79c264ba43f52ba7c050461d7fb833a22c8a646b3a29e8a24561999dc4210e15ac4b37d1eb0fdb831315e3828ea559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e4cd2565be832764c0e0b66ee9efd81c

SHA1
296fd68e7a14b8b7cfd0aeef4b49aa5f6709101b

SHA256
6ec89bac28f5d5eb9272678ca329c2f93a18399dc42ec509b7dbc90cd2e9274a

SHA512
e394fdc098a2acb3da98a91f959b1f2e92a0edc32dd2e5d25348e18d4d4debbc30b3e7b51e3fdafa7392d71aabebccfe54c70e36dc638c990d2fd07998bcfe59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
02b6c68dead38613d1a8ea25fc80efc8

SHA1
3ebea48bb5ebe6cbf73f4ecbee0b67fd253b02e9

SHA256
e5d94cb19f98851096d1c2114e3d18543082cbfe1d91c42f927fcde3b7be75a7

SHA512
baef4ccff193426df30097f39126e271311ea0614ec24356069e15672fbf877248993c58a8816427bf93c5ff96e57357168449b3a2581e464b73e9b83286b492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
02b6c68dead38613d1a8ea25fc80efc8

SHA1
3ebea48bb5ebe6cbf73f4ecbee0b67fd253b02e9

SHA256
e5d94cb19f98851096d1c2114e3d18543082cbfe1d91c42f927fcde3b7be75a7

SHA512
baef4ccff193426df30097f39126e271311ea0614ec24356069e15672fbf877248993c58a8816427bf93c5ff96e57357168449b3a2581e464b73e9b83286b492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d75b774b4dfc2a3c72eb4941249e5d4b

SHA1
4b6356c56c2c93720ee6bac42e03df1b67d94e1c

SHA256
1bc1225b53c5ec6e98c357f9823d67bc889de6aea859f5eb770a94e32e9dcc6a

SHA512
4f418e601fadab593835379ed4a4388cc99743a0b541dd59d5edd608cb85a551d55bf41353d006ac130847de7f5f3bcbf8a9b919c1d9c717ef4e3f72bc2a3d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat

Filesize
221B

MD5
31c23696c7fb8288513f117f1357d0f5

SHA1
43f353b4be22572ab1ee71ca0885c59ef25303a0

SHA256
ef0dc73b031ff60f3319fda9956c180926dea8ee021d1e064acf0213a8bf144b

SHA512
80e2b1d8d268a0cc2d8b776f046860adf8f49fc88ff51dd0ba4fff1e91e0929e80945a547f951f9c2839da7df3a93b7828bb56ff60d6b49135b011525606775d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat

Filesize
221B

MD5
870da90d4f11a93a9a4324c887ce8e54

SHA1
af8a8c99d2e8940912d9b665394cf26b480c5721

SHA256
21e3035b7d0a4f2b8fe3e8cd0a16da9dc7a8f6521753eed8c71b2c57f0e0aba0

SHA512
44c08a2772c640d937936f8be5251927b5315ac24760293cf7889789cb76423e5703acd773561604fed27dae2cbe245eb93e44fbdaac90bfe0a7f33a278b7ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat

Filesize
221B

MD5
5f2269fd096af80356146ff7b0c493be

SHA1
cbaa9e05e90a497de9384d3d025692f34dc1c4f9

SHA256
74cfc100f618d9d71d4907a9418ae10491505437d9abaf6d99ec796430dbda4d

SHA512
c4b151c549b51b24db1aae4698d3af4d3f23c657e0678b1a3403ddac2e441c0f9edb211d6043de60a43fb2bf3bf737c1b5eaca09d473d777c2e5582823b37675

Download Submit
C:\Users\Admin\AppData\Local\Temp\Re4gxnF4du.bat

Filesize
221B

MD5
3c73711386f191e45ec230938ca86d54

SHA1
6854e2abf83d77dc563383abbca6d72686e9641f

SHA256
e25f32c072d9a7097d7fd3cb52bb8f666fc2576c2747008d1d1c10f0301d0029

SHA512
26b5db6826b9cb7f1ed7040d8580fc13c9bc8142754eb962da32239c16384d5135af5e6e944c8b968bbc3f2c42f384d767cb47e835b8e639c2662d54845304b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat

Filesize
221B

MD5
e2adde2b0ff2b99485b31adcf3c6357c

SHA1
afe765d9588905d2fe04247d842103c756bd696e

SHA256
9743478478a43e1d964eb39f3180fad4d10b45e5c0fec9688795f52b52f857ff

SHA512
f437a517558f92aafc1afe3d2d1b5f2693fdcc879ea90088130a4f44dde945a35dc293de68d83794ed4f276ab32c64c323502491a30a59c74c4b45f293c8d4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat

Filesize
221B

MD5
a64230230bebcb67857a029fd2ad6952

SHA1
70dffeca294cb1e4089b20376e3d43418bab92dc

SHA256
efea53f00da81899be1965605b85a906bc9dcdcd8227d0077973bb6b5a11e507

SHA512
2c8ec11dc58868686ef96ac7af927be9796f9170a11d3e13c79f2271bcafd503b1e277a501447755081586bdd88d08cc04f041064eb66c7e9450005ba3faf538

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat

Filesize
221B

MD5
62778f912dbf39a1cf14baff31fc65c4

SHA1
8f52a6416c2d209b53d4b5863018e508ba838da3

SHA256
cc3c4623ab82e52da51383df18dc782e02fd7dfbaa8c9ba6ac9d35036ed2df2c

SHA512
36705027b5f5788ed693f4d750c526f485e69564a7f2d6467a4ab9d4fa455d7d43310d7d2c668d8770d1c5c2fccf8348f32af869950483f2488c19b1f0abe109

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

Filesize
221B

MD5
2cf7d9c322dddcae4cc5456bac78c4fa

SHA1
1ff48a8643cb82a6487b6cd07a2baa0308559706

SHA256
5f1f8a891af95758253a4094b5503b05051bb09e588ce5f466bb10fa4e4bc810

SHA512
38df434e26f4695446cdd8ee7df73b6a31098b6427bf51b07d423f8918d07b025ab90d389e076c85e58538bc30bc9029a88df571f1e5cb84beeda1b62357c768

Download Submit
C:\Users\Admin\AppData\Local\Temp\pFE2FgvhS1.bat

Filesize
221B

MD5
7fbffc5738f14ac949f999653faf1b01

SHA1
d037ac656e2debdca0485e5c46496d843dfb48ec

SHA256
0c80fed3c0984b116d9e1e10db06c58a3abe3e640c7a2b575d5009fed6dc655f

SHA512
989972dd774d8765e9d4407dacf39f55d4d27171b58b94ec9db9cb052e0f581f071ad5ecc1777651b3fe7987164b3d7805a2f17d271bcaa323b81a81e5910e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat

Filesize
221B

MD5
b8da9c55e2ea7b00134e10b4baec49e8

SHA1
6c3891a1048c31c7fc9564179e39791a0110b248

SHA256
04763a43dc6e0bb1986b69a6193f4a7ee02d98b9ac45e806f7ef8bd1f0b0c033

SHA512
9a8ca902591678c34e2a8fc6b78c8de8d24a79e9a7a02b8ad872e5272b73f48e2027dcaa939d42cfe97f76f154c782ace482b7223e34945e268832248359b065

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/396-324-0x0000014FD5BB0000-0x0000014FD5BD2000-memory.dmp

Filesize
136KB

Download
memory/676-333-0x0000020F98640000-0x0000020F986B6000-memory.dmp

Filesize
472KB

Download
memory/1164-577-0x0000000001590000-0x00000000015A2000-memory.dmp

Filesize
72KB

Download
memory/3040-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-118-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3200-284-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download
memory/3200-285-0x00000000014A0000-0x00000000014B2000-memory.dmp

Filesize
72KB

Download
memory/3200-286-0x00000000016E0000-0x00000000016EC000-memory.dmp

Filesize
48KB

Download
memory/3200-288-0x00000000014C0000-0x00000000014CC000-memory.dmp

Filesize
48KB

Download
memory/3200-287-0x00000000014B0000-0x00000000014BC000-memory.dmp

Filesize
48KB

Download
memory/3872-545-0x0000000001440000-0x0000000001452000-memory.dmp

Filesize
72KB

Download
memory/4132-588-0x00000000016E0000-0x00000000016F2000-memory.dmp

Filesize
72KB

Download
memory/5052-571-0x0000000001340000-0x0000000001352000-memory.dmp

Filesize
72KB

Download
memory/5100-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/5100-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download