dcrat | 81103d31a672203eac4af47e1026e2f3656580348034e6d34569072d5f81ac8f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 03:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

81103d31a672203eac4af47e1026e2f3656580348034e6d34569072d5f81ac8f.exe
Size

1.3MB
MD5

f206092cfca74c5216dacd3b2c45c935
SHA1

275ad5f65bc3d91ad9d41df35b1b34116175ffd8
SHA256

81103d31a672203eac4af47e1026e2f3656580348034e6d34569072d5f81ac8f
SHA512

df13f3437e2c84851ad97e6c6ffeab4bc92f3fdceeab4bde7e8c1ac58f58c37c97ca5d2bb647142c5f8a3e4e9be8bad4827b0822c0acef3055eac0b762183ff2
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	2720	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2720	schtasks.exe	45

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0002000000021a55-137.dat	dcrat
behavioral1/files/0x0002000000021a55-138.dat	dcrat
behavioral1/memory/2536-139-0x0000000000BD0000-0x0000000000CE0000-memory.dmp	dcrat
behavioral1/files/0x0006000000022e1c-183.dat	dcrat
behavioral1/files/0x0006000000022e1c-184.dat	dcrat
behavioral1/files/0x0006000000022e1c-191.dat	dcrat
behavioral1/files/0x0006000000022e1c-199.dat	dcrat
behavioral1/files/0x0006000000022e1c-206.dat	dcrat
behavioral1/files/0x0006000000022e1c-213.dat	dcrat
behavioral1/files/0x0006000000022e1c-220.dat	dcrat
behavioral1/files/0x0006000000022e1c-227.dat	dcrat
behavioral1/files/0x0006000000022e1c-234.dat	dcrat
behavioral1/files/0x0006000000022e1c-241.dat	dcrat
behavioral1/files/0x0006000000022e1c-248.dat	dcrat

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	81103d31a672203eac4af47e1026e2f3656580348034e6d34569072d5f81ac8f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 11 IoCs

pid	Process
2536	DllCommonsvc.exe
1244	spoolsv.exe
3320	spoolsv.exe
3232	spoolsv.exe
3600	spoolsv.exe
4440	spoolsv.exe
5056	spoolsv.exe
1964	spoolsv.exe
2544	spoolsv.exe
2276	spoolsv.exe
2800	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\5b884080fd4f94	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Windows\apppatch\CustomSDB\SearchApp.exe	DllCommonsvc.exe
File created	C:\Windows\apppatch\CustomSDB\38384e6a620884	DllCommonsvc.exe
File created	C:\Windows\de-DE\SppExtComObj.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4208	schtasks.exe
5048	schtasks.exe
4504	schtasks.exe
1444	schtasks.exe
3896	schtasks.exe
3520	schtasks.exe
3676	schtasks.exe
3592	schtasks.exe
904	schtasks.exe
4980	schtasks.exe
5108	schtasks.exe
1784	schtasks.exe
3608	schtasks.exe
4308	schtasks.exe
1864	schtasks.exe
3476	schtasks.exe
4588	schtasks.exe
2368	schtasks.exe
3776	schtasks.exe
1708	schtasks.exe
4368	schtasks.exe
4772	schtasks.exe
1788	schtasks.exe
2920	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	81103d31a672203eac4af47e1026e2f3656580348034e6d34569072d5f81ac8f.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
2536	DllCommonsvc.exe
2536	DllCommonsvc.exe
2536	DllCommonsvc.exe
2536	DllCommonsvc.exe
2536	DllCommonsvc.exe
2536	DllCommonsvc.exe
2536	DllCommonsvc.exe
2536	DllCommonsvc.exe
2536	DllCommonsvc.exe
2536	DllCommonsvc.exe
2536	DllCommonsvc.exe
2536	DllCommonsvc.exe
2536	DllCommonsvc.exe
2536	DllCommonsvc.exe
3692	powershell.exe
3692	powershell.exe
2236	powershell.exe
2236	powershell.exe
3984	powershell.exe
3984	powershell.exe
2692	powershell.exe
2692	powershell.exe
2736	powershell.exe
2736	powershell.exe
824	powershell.exe
824	powershell.exe
1100	powershell.exe
1100	powershell.exe
1648	powershell.exe
1648	powershell.exe
1988	powershell.exe
1988	powershell.exe
2736	powershell.exe
1988	powershell.exe
3692	powershell.exe
2236	powershell.exe
2692	powershell.exe
1100	powershell.exe
3984	powershell.exe
824	powershell.exe
1648	powershell.exe
1244	spoolsv.exe
3320	spoolsv.exe
3232	spoolsv.exe
3600	spoolsv.exe
4440	spoolsv.exe
5056	spoolsv.exe
1964	spoolsv.exe
2544	spoolsv.exe
2276	spoolsv.exe
2800	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	DllCommonsvc.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1244	spoolsv.exe
Token: SeDebugPrivilege	3320	spoolsv.exe
Token: SeDebugPrivilege	3232	spoolsv.exe
Token: SeDebugPrivilege	3600	spoolsv.exe
Token: SeDebugPrivilege	4440	spoolsv.exe
Token: SeDebugPrivilege	5056	spoolsv.exe
Token: SeDebugPrivilege	1964	spoolsv.exe
Token: SeDebugPrivilege	2544	spoolsv.exe
Token: SeDebugPrivilege	2276	spoolsv.exe
Token: SeDebugPrivilege	2800	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 4100	1260	81103d31a672203eac4af47e1026e2f3656580348034e6d34569072d5f81ac8f.exe	82
PID 1260 wrote to memory of 4100	1260	81103d31a672203eac4af47e1026e2f3656580348034e6d34569072d5f81ac8f.exe	82
PID 1260 wrote to memory of 4100	1260	81103d31a672203eac4af47e1026e2f3656580348034e6d34569072d5f81ac8f.exe	82
PID 4100 wrote to memory of 2412	4100	WScript.exe	88
PID 4100 wrote to memory of 2412	4100	WScript.exe	88
PID 4100 wrote to memory of 2412	4100	WScript.exe	88
PID 2412 wrote to memory of 2536	2412	cmd.exe	90
PID 2412 wrote to memory of 2536	2412	cmd.exe	90
PID 2536 wrote to memory of 3692	2536	DllCommonsvc.exe	115
PID 2536 wrote to memory of 3692	2536	DllCommonsvc.exe	115
PID 2536 wrote to memory of 2692	2536	DllCommonsvc.exe	120
PID 2536 wrote to memory of 2692	2536	DllCommonsvc.exe	120
PID 2536 wrote to memory of 2236	2536	DllCommonsvc.exe	117
PID 2536 wrote to memory of 2236	2536	DllCommonsvc.exe	117
PID 2536 wrote to memory of 3984	2536	DllCommonsvc.exe	118
PID 2536 wrote to memory of 3984	2536	DllCommonsvc.exe	118
PID 2536 wrote to memory of 824	2536	DllCommonsvc.exe	128
PID 2536 wrote to memory of 824	2536	DllCommonsvc.exe	128
PID 2536 wrote to memory of 2736	2536	DllCommonsvc.exe	122
PID 2536 wrote to memory of 2736	2536	DllCommonsvc.exe	122
PID 2536 wrote to memory of 1100	2536	DllCommonsvc.exe	123
PID 2536 wrote to memory of 1100	2536	DllCommonsvc.exe	123
PID 2536 wrote to memory of 1648	2536	DllCommonsvc.exe	124
PID 2536 wrote to memory of 1648	2536	DllCommonsvc.exe	124
PID 2536 wrote to memory of 1988	2536	DllCommonsvc.exe	133
PID 2536 wrote to memory of 1988	2536	DllCommonsvc.exe	133
PID 2536 wrote to memory of 4364	2536	DllCommonsvc.exe	134
PID 2536 wrote to memory of 4364	2536	DllCommonsvc.exe	134
PID 4364 wrote to memory of 176	4364	cmd.exe	136
PID 4364 wrote to memory of 176	4364	cmd.exe	136
PID 4364 wrote to memory of 1244	4364	cmd.exe	139
PID 4364 wrote to memory of 1244	4364	cmd.exe	139
PID 1244 wrote to memory of 388	1244	spoolsv.exe	140
PID 1244 wrote to memory of 388	1244	spoolsv.exe	140
PID 388 wrote to memory of 3384	388	cmd.exe	142
PID 388 wrote to memory of 3384	388	cmd.exe	142
PID 388 wrote to memory of 3320	388	cmd.exe	144
PID 388 wrote to memory of 3320	388	cmd.exe	144
PID 3320 wrote to memory of 1652	3320	spoolsv.exe	145
PID 3320 wrote to memory of 1652	3320	spoolsv.exe	145
PID 1652 wrote to memory of 2408	1652	cmd.exe	147
PID 1652 wrote to memory of 2408	1652	cmd.exe	147
PID 1652 wrote to memory of 3232	1652	cmd.exe	148
PID 1652 wrote to memory of 3232	1652	cmd.exe	148
PID 3232 wrote to memory of 448	3232	spoolsv.exe	149
PID 3232 wrote to memory of 448	3232	spoolsv.exe	149
PID 448 wrote to memory of 1224	448	cmd.exe	151
PID 448 wrote to memory of 1224	448	cmd.exe	151
PID 448 wrote to memory of 3600	448	cmd.exe	152
PID 448 wrote to memory of 3600	448	cmd.exe	152
PID 3600 wrote to memory of 4480	3600	spoolsv.exe	153
PID 3600 wrote to memory of 4480	3600	spoolsv.exe	153
PID 4480 wrote to memory of 2052	4480	cmd.exe	155
PID 4480 wrote to memory of 2052	4480	cmd.exe	155
PID 4480 wrote to memory of 4440	4480	cmd.exe	156
PID 4480 wrote to memory of 4440	4480	cmd.exe	156
PID 4440 wrote to memory of 2176	4440	spoolsv.exe	157
PID 4440 wrote to memory of 2176	4440	spoolsv.exe	157
PID 2176 wrote to memory of 1732	2176	cmd.exe	159
PID 2176 wrote to memory of 1732	2176	cmd.exe	159
PID 2176 wrote to memory of 5056	2176	cmd.exe	160
PID 2176 wrote to memory of 5056	2176	cmd.exe	160
PID 5056 wrote to memory of 2532	5056	spoolsv.exe	161
PID 5056 wrote to memory of 2532	5056	spoolsv.exe	161

C:\Users\Admin\AppData\Local\Temp\81103d31a672203eac4af47e1026e2f3656580348034e6d34569072d5f81ac8f.exe
"C:\Users\Admin\AppData\Local\Temp\81103d31a672203eac4af47e1026e2f3656580348034e6d34569072d5f81ac8f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\apppatch\CustomSDB\SearchApp.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\SppExtComObj.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AVVd0ldBbA.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4364
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:176
      - C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3384
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2408
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1224
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2052
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1732
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat"
        17⤵
        
        PID:2532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1196
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat"
        19⤵
        
        PID:2432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3128
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat"
        21⤵
        
        PID:4864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:488
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
        23⤵
        
        PID:1420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:5032
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat"
        25⤵
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\apppatch\CustomSDB\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\apppatch\CustomSDB\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\apppatch\CustomSDB\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat

Filesize
183B

MD5
7e95724b38941d6d33d3c25d5a631048

SHA1
322e4c320989663ec83b88bcf6d99f4bb66b2049

SHA256
9b9b36363dd15178f07dc4aaea6be6268fb209ab762de9df9d3ac0eacf3c168d

SHA512
9682e10726d95dd4d67907f9fdd8fffc8758b746d805827c6cc9092d59638d71f7cb1302d979224f691a4a1a091ebc4a682ac83f8504e07c6358b7db38863812

Download Submit
C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat

Filesize
183B

MD5
7e95724b38941d6d33d3c25d5a631048

SHA1
322e4c320989663ec83b88bcf6d99f4bb66b2049

SHA256
9b9b36363dd15178f07dc4aaea6be6268fb209ab762de9df9d3ac0eacf3c168d

SHA512
9682e10726d95dd4d67907f9fdd8fffc8758b746d805827c6cc9092d59638d71f7cb1302d979224f691a4a1a091ebc4a682ac83f8504e07c6358b7db38863812

Download Submit
C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat

Filesize
183B

MD5
4a1387fc09082068c03d67d536b9a5b7

SHA1
eaaf69cf603c2c086be8cdd48cb081406db2b92b

SHA256
fecfb55bdeba477031d0fe72ca469d9441c1a15e0cd1837f1bb2ae127dd6dd4e

SHA512
636a52e75d3a851dcf8b028928fffa12ae556314a733cd08dabc1fc7266a9ddbb442b17c49d5e2a1e3e8e35a91ce5ccf8076c2d2d8e67da378a35a0f0e393bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\AVVd0ldBbA.bat

Filesize
183B

MD5
b43dad342319da3e8512c3f1a54d9163

SHA1
19e18d029269d7fa6396a56f937c8d45478c318e

SHA256
2d72c6046c8510322df87453aea8fb61a6811ead3114bfe862053d2b4f8dda95

SHA512
f149514b94cdd637eb740a896468d8976590b377d30e47f2cceea2d63325ddcf4a24d56e586632e4e72ff23fa3180c679b8890b8210969a6bfd2362ef7c03f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat

Filesize
183B

MD5
90517cc8d32b3e9e17b4310ff1f1ddf9

SHA1
c66b80a90f00ef1e07dcb6ce926c9b2ba272e771

SHA256
173ab95cd3f8f761e5b439074a63c9f73e0613b1fa5179fad490200f68b2450d

SHA512
dae7a29030f6c4bff1c1401b7d68b43579009c8e515b8b3bc8b61af73f62d74b42a7fdda8e3479eb5a901ae2fcdb30b19e2a9bf753d7aca70fb12876a37dc1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat

Filesize
183B

MD5
22cbe6c806d93e81b5283d5ae12c59bc

SHA1
0ba366916c8f2424ac7901166aad49ea52f0d1e1

SHA256
5373c8819d21cbf42892163d6368be715320fe894e5f071772e9377447039a7b

SHA512
b25328fd7d9c5673b389297fdfcacad179a9607e28136c94446b28cc7171bee9e34d1bf9492b267d42cf89d165bffa65110b86330a577d3347b2ef87393163ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat

Filesize
183B

MD5
22cbe6c806d93e81b5283d5ae12c59bc

SHA1
0ba366916c8f2424ac7901166aad49ea52f0d1e1

SHA256
5373c8819d21cbf42892163d6368be715320fe894e5f071772e9377447039a7b

SHA512
b25328fd7d9c5673b389297fdfcacad179a9607e28136c94446b28cc7171bee9e34d1bf9492b267d42cf89d165bffa65110b86330a577d3347b2ef87393163ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

Filesize
183B

MD5
4f9f3dfc8aada8ab250c5320f674c6ca

SHA1
3976d6ee05c1d551dd6212f28cafeb50095f55cc

SHA256
4d3b24ddbf1993f839aefe86c4f7e5a0ad5db5e28bd614dc4ddd198a7c269cf8

SHA512
2a8261d6c049999c2c6d712fdf843cb0a08b18ed29fbe96880e71f2a8ba6f6ae54aa487db74453fa27dcca424d4fc42ec7b8a75588bf292efd7b7f058bd92b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat

Filesize
183B

MD5
f90395aefb35a298f6761ae2cee2443e

SHA1
e0aaebce76814348ec2db93cf76b422bd962c58d

SHA256
286e4b2185a75fb1f2530f316c328f88e2215be3835b920e04dbbc679858a3b9

SHA512
b6531bd241b5569f86bed847d5a9bba8c109d50aeb20cfe29a5e361678037dba41a87a6e61b7f7a2d5db3ea78732d785a75da29af31742a0d8d09679c2a22cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat

Filesize
183B

MD5
c9e290cad3b22a0b13545cc8bfdac876

SHA1
08ccf9fdf23f1b8a524a08e0eeee627c48f8a097

SHA256
bd1b34224a950473cb9ad8efad50fe331a9292231bba9097aad033fb397bf26f

SHA512
010bda883220c0a1820d7908bfeb68431eac8ae4a8ccb8505b226f9904d16aec578fa70c3c18682a0b0d10b0fe2a9398f267d9e36e36c6ac20da913700f25b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat

Filesize
183B

MD5
29268c467087ed7d99a6e463b7503dfd

SHA1
9a18748348eb1ddb55ff5ca513f84e1943c282cd

SHA256
eaf49804c429c5c8b3dd3d661ba4dce56519bbbd4ea445e69e6e8709ea631240

SHA512
94b78ec6a49378d4ab1e7aa6a04aa8ea2debba7ceab94c2ce68e4a5cc5e873515ff65773f3fb8738b702842690e03289f9b1121ae9e604cff1485f5c2f71310b

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/824-160-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/824-174-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1100-178-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1100-161-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1244-189-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1244-185-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1648-162-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1648-180-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1964-232-0x00007FF99DE00000-0x00007FF99E8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1964-228-0x00007FF99DE00000-0x00007FF99E8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1988-168-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1988-163-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-175-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/2236-155-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/2276-246-0x00007FF99DE00000-0x00007FF99E8C1000-memory.dmp

Filesize
10.8MB

Download
memory/2276-242-0x00007FF99DE00000-0x00007FF99E8C1000-memory.dmp

Filesize
10.8MB

Download
memory/2536-140-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/2536-139-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

Filesize
1.1MB

Download
memory/2536-152-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/2544-239-0x00007FF99DE00000-0x00007FF99E8C1000-memory.dmp

Filesize
10.8MB

Download
memory/2544-235-0x00007FF99DE00000-0x00007FF99E8C1000-memory.dmp

Filesize
10.8MB

Download
memory/2692-154-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/2692-173-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/2736-169-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/2736-159-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/2800-253-0x00007FF99DE00000-0x00007FF99E8C1000-memory.dmp

Filesize
10.8MB

Download
memory/2800-249-0x00007FF99DE00000-0x00007FF99E8C1000-memory.dmp

Filesize
10.8MB

Download
memory/3232-200-0x00007FF99DCE0000-0x00007FF99E7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3232-204-0x00007FF99DCE0000-0x00007FF99E7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3320-197-0x00007FF99DCE0000-0x00007FF99E7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3320-193-0x00007FF99DCE0000-0x00007FF99E7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3600-207-0x00007FF99DCE0000-0x00007FF99E7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3600-211-0x00007FF99DCE0000-0x00007FF99E7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3692-153-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/3692-150-0x0000013FF7D70000-0x0000013FF7D92000-memory.dmp

Filesize
136KB

Download
memory/3692-166-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/3984-158-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/3984-181-0x00007FF99E0E0000-0x00007FF99EBA1000-memory.dmp

Filesize
10.8MB

Download
memory/4440-218-0x00007FF99DD50000-0x00007FF99E811000-memory.dmp

Filesize
10.8MB

Download
memory/4440-214-0x00007FF99DD50000-0x00007FF99E811000-memory.dmp

Filesize
10.8MB

Download
memory/5056-221-0x00007FF99DE00000-0x00007FF99E8C1000-memory.dmp

Filesize
10.8MB

Download
memory/5056-225-0x00007FF99DE00000-0x00007FF99E8C1000-memory.dmp

Filesize
10.8MB

Download