dcrat | e04adb2e124f62f895ef4bb78dd3658d1258a98be4ec8de99bf459872fbecc97

Analysis

max time kernel
116s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e04adb2e124f62f895ef4bb78dd3658d1258a98be4ec8de99bf459872fbecc97N.exe
Size

1.3MB
MD5

a0f5c401551f67365155ee0c94ebe1a0
SHA1

902f259ffe50fe38831b712861811010201bc1a3
SHA256

e04adb2e124f62f895ef4bb78dd3658d1258a98be4ec8de99bf459872fbecc97
SHA512

dc259e72b317ffa749eff93d640346637c9b104babf8c25ab58614d9c1877b3edc63b1199ee6ac29532427da81683b5d142fe192ed1ef1f5eeb6f42b17acf8f7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2764	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x00070000000193b8-12.dat	dcrat
behavioral1/memory/2136-13-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat
behavioral1/memory/2036-87-0x0000000000D00000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/memory/768-146-0x0000000001340000-0x0000000001450000-memory.dmp	dcrat
behavioral1/memory/2248-206-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/memory/2232-325-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/2480-385-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/1564-445-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/2948-505-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1840	powershell.exe
1940	powershell.exe
2588	powershell.exe
2384	powershell.exe
2360	powershell.exe
2168	powershell.exe
1256	powershell.exe
2080	powershell.exe
876	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

DllCommonsvc.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe

pid	Process
2136	DllCommonsvc.exe
2036	OSPPSVC.exe
768	OSPPSVC.exe
2248	OSPPSVC.exe
3048	OSPPSVC.exe
2232	OSPPSVC.exe
2480	OSPPSVC.exe
1564	OSPPSVC.exe
2948	OSPPSVC.exe
2036	OSPPSVC.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
3068	cmd.exe
3068	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

Processes:

flow	ioc
6	raw.githubusercontent.com
20	raw.githubusercontent.com
9	raw.githubusercontent.com
11	raw.githubusercontent.com
14	raw.githubusercontent.com
16	raw.githubusercontent.com
18	raw.githubusercontent.com
23	raw.githubusercontent.com
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\nl-NL\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\nl-NL\f3b6ecef712a24	DllCommonsvc.exe

Drops file in Program Files directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\b75386f1303e64	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\1610b97d3ab4a7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exee04adb2e124f62f895ef4bb78dd3658d1258a98be4ec8de99bf459872fbecc97N.exeWScript.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e04adb2e124f62f895ef4bb78dd3658d1258a98be4ec8de99bf459872fbecc97N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1472	schtasks.exe
2580	schtasks.exe
1336	schtasks.exe
1316	schtasks.exe
764	schtasks.exe
2348	schtasks.exe
1688	schtasks.exe
2884	schtasks.exe
1784	schtasks.exe
2748	schtasks.exe
1828	schtasks.exe
2560	schtasks.exe
2524	schtasks.exe
1780	schtasks.exe
524	schtasks.exe
2328	schtasks.exe
2244	schtasks.exe
2280	schtasks.exe
1652	schtasks.exe
952	schtasks.exe
472	schtasks.exe
2356	schtasks.exe
2344	schtasks.exe
2188	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe

pid	Process
2136	DllCommonsvc.exe
2136	DllCommonsvc.exe
2136	DllCommonsvc.exe
2136	DllCommonsvc.exe
2136	DllCommonsvc.exe
1940	powershell.exe
2384	powershell.exe
2588	powershell.exe
2360	powershell.exe
2080	powershell.exe
1256	powershell.exe
876	powershell.exe
1840	powershell.exe
2168	powershell.exe
2036	OSPPSVC.exe
768	OSPPSVC.exe
2248	OSPPSVC.exe
3048	OSPPSVC.exe
2232	OSPPSVC.exe
2480	OSPPSVC.exe
1564	OSPPSVC.exe
2948	OSPPSVC.exe
2036	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2136	DllCommonsvc.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2036	OSPPSVC.exe
Token: SeDebugPrivilege	768	OSPPSVC.exe
Token: SeDebugPrivilege	2248	OSPPSVC.exe
Token: SeDebugPrivilege	3048	OSPPSVC.exe
Token: SeDebugPrivilege	2232	OSPPSVC.exe
Token: SeDebugPrivilege	2480	OSPPSVC.exe
Token: SeDebugPrivilege	1564	OSPPSVC.exe
Token: SeDebugPrivilege	2948	OSPPSVC.exe
Token: SeDebugPrivilege	2036	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e04adb2e124f62f895ef4bb78dd3658d1258a98be4ec8de99bf459872fbecc97N.exeWScript.execmd.exeDllCommonsvc.execmd.exeOSPPSVC.execmd.exeOSPPSVC.execmd.exe

description	pid	Process	procid_target
PID 3012 wrote to memory of 2892	3012	e04adb2e124f62f895ef4bb78dd3658d1258a98be4ec8de99bf459872fbecc97N.exe	30
PID 3012 wrote to memory of 2892	3012	e04adb2e124f62f895ef4bb78dd3658d1258a98be4ec8de99bf459872fbecc97N.exe	30
PID 3012 wrote to memory of 2892	3012	e04adb2e124f62f895ef4bb78dd3658d1258a98be4ec8de99bf459872fbecc97N.exe	30
PID 3012 wrote to memory of 2892	3012	e04adb2e124f62f895ef4bb78dd3658d1258a98be4ec8de99bf459872fbecc97N.exe	30
PID 2892 wrote to memory of 3068	2892	WScript.exe	31
PID 2892 wrote to memory of 3068	2892	WScript.exe	31
PID 2892 wrote to memory of 3068	2892	WScript.exe	31
PID 2892 wrote to memory of 3068	2892	WScript.exe	31
PID 3068 wrote to memory of 2136	3068	cmd.exe	33
PID 3068 wrote to memory of 2136	3068	cmd.exe	33
PID 3068 wrote to memory of 2136	3068	cmd.exe	33
PID 3068 wrote to memory of 2136	3068	cmd.exe	33
PID 2136 wrote to memory of 2384	2136	DllCommonsvc.exe	59
PID 2136 wrote to memory of 2384	2136	DllCommonsvc.exe	59
PID 2136 wrote to memory of 2384	2136	DllCommonsvc.exe	59
PID 2136 wrote to memory of 2360	2136	DllCommonsvc.exe	60
PID 2136 wrote to memory of 2360	2136	DllCommonsvc.exe	60
PID 2136 wrote to memory of 2360	2136	DllCommonsvc.exe	60
PID 2136 wrote to memory of 2168	2136	DllCommonsvc.exe	61
PID 2136 wrote to memory of 2168	2136	DllCommonsvc.exe	61
PID 2136 wrote to memory of 2168	2136	DllCommonsvc.exe	61
PID 2136 wrote to memory of 2080	2136	DllCommonsvc.exe	62
PID 2136 wrote to memory of 2080	2136	DllCommonsvc.exe	62
PID 2136 wrote to memory of 2080	2136	DllCommonsvc.exe	62
PID 2136 wrote to memory of 1256	2136	DllCommonsvc.exe	63
PID 2136 wrote to memory of 1256	2136	DllCommonsvc.exe	63
PID 2136 wrote to memory of 1256	2136	DllCommonsvc.exe	63
PID 2136 wrote to memory of 2588	2136	DllCommonsvc.exe	64
PID 2136 wrote to memory of 2588	2136	DllCommonsvc.exe	64
PID 2136 wrote to memory of 2588	2136	DllCommonsvc.exe	64
PID 2136 wrote to memory of 1840	2136	DllCommonsvc.exe	66
PID 2136 wrote to memory of 1840	2136	DllCommonsvc.exe	66
PID 2136 wrote to memory of 1840	2136	DllCommonsvc.exe	66
PID 2136 wrote to memory of 876	2136	DllCommonsvc.exe	67
PID 2136 wrote to memory of 876	2136	DllCommonsvc.exe	67
PID 2136 wrote to memory of 876	2136	DllCommonsvc.exe	67
PID 2136 wrote to memory of 1940	2136	DllCommonsvc.exe	68
PID 2136 wrote to memory of 1940	2136	DllCommonsvc.exe	68
PID 2136 wrote to memory of 1940	2136	DllCommonsvc.exe	68
PID 2136 wrote to memory of 2100	2136	DllCommonsvc.exe	77
PID 2136 wrote to memory of 2100	2136	DllCommonsvc.exe	77
PID 2136 wrote to memory of 2100	2136	DllCommonsvc.exe	77
PID 2100 wrote to memory of 2116	2100	cmd.exe	79
PID 2100 wrote to memory of 2116	2100	cmd.exe	79
PID 2100 wrote to memory of 2116	2100	cmd.exe	79
PID 2100 wrote to memory of 2036	2100	cmd.exe	80
PID 2100 wrote to memory of 2036	2100	cmd.exe	80
PID 2100 wrote to memory of 2036	2100	cmd.exe	80
PID 2036 wrote to memory of 2952	2036	OSPPSVC.exe	81
PID 2036 wrote to memory of 2952	2036	OSPPSVC.exe	81
PID 2036 wrote to memory of 2952	2036	OSPPSVC.exe	81
PID 2952 wrote to memory of 2560	2952	cmd.exe	83
PID 2952 wrote to memory of 2560	2952	cmd.exe	83
PID 2952 wrote to memory of 2560	2952	cmd.exe	83
PID 2952 wrote to memory of 768	2952	cmd.exe	84
PID 2952 wrote to memory of 768	2952	cmd.exe	84
PID 2952 wrote to memory of 768	2952	cmd.exe	84
PID 768 wrote to memory of 2144	768	OSPPSVC.exe	85
PID 768 wrote to memory of 2144	768	OSPPSVC.exe	85
PID 768 wrote to memory of 2144	768	OSPPSVC.exe	85
PID 2144 wrote to memory of 1988	2144	cmd.exe	87
PID 2144 wrote to memory of 1988	2144	cmd.exe	87
PID 2144 wrote to memory of 1988	2144	cmd.exe	87
PID 2144 wrote to memory of 2248	2144	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e04adb2e124f62f895ef4bb78dd3658d1258a98be4ec8de99bf459872fbecc97N.exe
"C:\Users\Admin\AppData\Local\Temp\e04adb2e124f62f895ef4bb78dd3658d1258a98be4ec8de99bf459872fbecc97N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\nl-NL\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3ANxhMsQvM.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2100
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2116
      - C:\Windows\Downloaded Program Files\OSPPSVC.exe
        
        "C:\Windows\Downloaded Program Files\OSPPSVC.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2560
        
        C:\Windows\Downloaded Program Files\OSPPSVC.exe
        
        "C:\Windows\Downloaded Program Files\OSPPSVC.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1988
        
        C:\Windows\Downloaded Program Files\OSPPSVC.exe
        
        "C:\Windows\Downloaded Program Files\OSPPSVC.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat"
        11⤵
        
        PID:2876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2576
        
        C:\Windows\Downloaded Program Files\OSPPSVC.exe
        
        "C:\Windows\Downloaded Program Files\OSPPSVC.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat"
        13⤵
        
        PID:1984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2424
        
        C:\Windows\Downloaded Program Files\OSPPSVC.exe
        
        "C:\Windows\Downloaded Program Files\OSPPSVC.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"
        15⤵
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1260
        
        C:\Windows\Downloaded Program Files\OSPPSVC.exe
        
        "C:\Windows\Downloaded Program Files\OSPPSVC.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat"
        17⤵
        
        PID:1056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1892
        
        C:\Windows\Downloaded Program Files\OSPPSVC.exe
        
        "C:\Windows\Downloaded Program Files\OSPPSVC.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xdvgpfy6bM.bat"
        19⤵
        
        PID:2040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1060
        
        C:\Windows\Downloaded Program Files\OSPPSVC.exe
        
        "C:\Windows\Downloaded Program Files\OSPPSVC.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat"
        21⤵
        
        PID:1672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2292
        
        C:\Windows\Downloaded Program Files\OSPPSVC.exe
        
        "C:\Windows\Downloaded Program Files\OSPPSVC.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat"
        23⤵
        
        PID:812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jdk1.7.0_80\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\nl-NL\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\SysWOW64\nl-NL\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\nl-NL\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d75a25b64cc3c5eb3d4e4ea3f623ea5c

SHA1
4e14317d34b963d3f02193e8b96b3f73cf977c69

SHA256
2b8c89d775e2795bd8b1b099f6e91d7a5c328becd4acec3e8915bec355ac4f9d

SHA512
e3d6be88bd983f79a2b18ab9f33856980764762e22d4b316fb2e1bc71a01c4399af15fa66fb0036b6b01d428b9c5c6a1b61840b98e20c776c7dcb569f1934cae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a537b4051a8a311ec81d5e5aed5d0c2b

SHA1
67fea79a2db3b29653b2ecc34778ba62b00e0ec5

SHA256
416dc85372c839a7b12cf0eb578daf554df6ff5dc2671a2763de8c44384da3a2

SHA512
7a0cb907155ae469bc62c7f1b590d53da8509b100e90aff57e71117ba818aeb9b2c8a46ae409733eac4fa4e1bf8950652240333de347e41df098d45691bde295

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45c61cb78b4e1a227eb263a9b91e4d88

SHA1
c17bcd539abb8f9db69e76e7e3ec37597c6bfe27

SHA256
7069a1922e0716663b9ffe2a5c2e00763cf4b0d44d53457950d2aa34ccb04381

SHA512
82dc8f6635882996dd24b19f0b4ca217049f705d967256b873c63ea39957d325595122ec6cc7b40d6befec78667118e36564c111d2f3015e0ebf841cb54e73b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fa9169919c8f75fcadbe200902c39c6

SHA1
94074e948ffad298ed0738ed17ac17881bdb9315

SHA256
1fa53c6543ef1407a3627267fe55ab506e872edd396335cc21b8a53495a2d45d

SHA512
25a48bd4ce1313c48e43e068dd8903708435bc8ed3ce2b6abd21fe447400da95c180ae2f6378a5c17dbcd13cb5934d1995e7785330a1582947ca8aba8c2bf974

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a0c272c76685652757975824839ce55

SHA1
4c987d558e7cf30c4969acc1ac61b71e0b6d04e2

SHA256
b12822a796c7818ee98bcb51e6859482a3427a3e6ae050ad4bfc9888c25e3247

SHA512
e95a940ff85e3dd92d7050c9f5b5572a295c25ab0cb9d7b8bcefa248c22c3e791fb870b8d06c5aca359acbb70587b61a4bfe2c3f7dedb3073d8ec414b9593697

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71d27ff601baa2e305cf887cf6fdacea

SHA1
c9377841dcc71c2cd8373e77c2868ef8987c3924

SHA256
b4a4c91d134d5a89a3b7f719e5611598c17585cd3a565a2efb2b1aa9ad55ffe1

SHA512
872b7b9a6106df72268e5891141179b0411d49914fc9580c95f188ca88960d1051c3e9026470b58a96d54c8a7a1acc3fc36613f91248eeb41b6d4d10aa2f8693

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7edad61962ca82776543a82202f708f

SHA1
9a12cfbc9a37f8235ee7e13379d8a45c806fa323

SHA256
53d3437c83bf68c6b659a489bc186539f453c38ee6f7640ac866c9f77e27d782

SHA512
865bed502fc730e635753e009ebe26d5c2b09be2d873ce9fd47e470b3fa16f645ede5eb231d4b00df07b07df51f74d0dacf21033d7cca55071a57770ff053f45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
969a8b5f8b4b2720abda0d519e9bed3c

SHA1
4b7fcb4cb03ab5110c14685c518e22eeb31401b3

SHA256
bc885584a96e082a582f27de85fd8e0651013282bdc83cc606214d75ab55c066

SHA512
cfd5c06f9cb19059674d1e9343db38e1c550818210228531e448d3c08dbe777b4986adde40cc6b37a13156912d7488c5cbcd7914d1beb58e378fad0aa08e5d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat

Filesize
212B

MD5
c0ac984ff6455c49b14b2b03e3a78d7d

SHA1
5519626d347ec70a641599f255edfd1dc85effe5

SHA256
e81e2af62f379f14c26aa4738425c1ff184f7083901785245a37edc7d3549799

SHA512
55fb76f0cfa0913e4b1f47326b85ad88f8cb2b154892fc178f2e930f2c299d82c90877de49ecb1ac6db05e5a3a4f6570e79dcd920606be4b8f11b8ef15009179

Download Submit
C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat

Filesize
212B

MD5
151bbc41c4d43d57c0400580a4f27ec3

SHA1
6f39f26ad1067cb1e8c69fab8267c44a0e35fd91

SHA256
3b8b0a676546e297987e5e2336977b3b7f49aa76a058f0a1d646f679a822bc55

SHA512
b26e77dde51fc5846705131512c37a2ef027a9bbf3ec3b1a8aedd39ca80dfce7d7e6e290421db317be31e58fba42211ca58aab462cea5a1699af76b848c9dcea

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ANxhMsQvM.bat

Filesize
212B

MD5
eb54ee28e81774a94fa985430a6a516b

SHA1
f986ed9bd78aaf54999c7f6bc3208a576b20855c

SHA256
2be53b35f71f104efe4f589e46fe792c3a67d22c26072286caf07eee87d9200a

SHA512
1dfb542e85be7e4b64719319f8842ceec838fd0de33724adfc25993adb5321b8efc7dd848db2ad53d91ebe5ee775915d271909d59b52e373b1dbdff81d662de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD6A2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat

Filesize
212B

MD5
4fef425377db3b6e94f6bdd77ea6257c

SHA1
b03f936d1390dd70dda606dfeee6106b68364d21

SHA256
7033b687724e57fcf439a87212d0bd3b9a22d97f87d41786fec7d38a8adca228

SHA512
d4a380721b06e4809425e2d809e28a58f97040e1cbc9d6745f883dfd8ba90d72318a74b59bca6c4421bf0421b038bf9cc77ecf64543bacf42550ae75b4055085

Download Submit
C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat

Filesize
212B

MD5
ab743874610031c37fb73a825b84d500

SHA1
dce81fdf18a60d27a5829820f5c400710014a413

SHA256
ecada9b0383f567bbce6bdb38eaffbc03c2106a50bc0f2af605b981d3459e2cc

SHA512
5842e08ee5d85175b899b6db4488f8b5a592f084e39af3423d1e88e441c3a8eb2a91862b5e5ff8cb5d9f6f58a730b3b6321c7a0ae246034739e9e75e2bfdb9f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD703.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat

Filesize
212B

MD5
6e372244c33d281e19c9a5ff0def7175

SHA1
4a00d05944802584c52dd0bffc4597f2ee0d695c

SHA256
de062dd2415e11248d2be3176560b00df8cb77ab347b0f9ab3a860ef2fe08638

SHA512
0667e221fc20591af059b3d197e8b726ea6fcee882e26e231d513c11050795d3185145708f50e9d521e4c2967491189e95d6bb76ea2ff6b8a92e262d0ece044c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat

Filesize
212B

MD5
f3a41fd5088ed519ed41ba797d603080

SHA1
f6d0b7993ad4d981aead4eac4847d7e4267bd6bc

SHA256
c9c988515c114d6eb79f15c9f241ec6d0a85eabc5b2563ee130794575f3166f6

SHA512
6f5c041907eb4b2a502b67b7ccee9ad1f84036570e458369f632883217f743eb582396e5cb5e895934c55ebe180295f47b5633feba75010002c7a9902474ff97

Download Submit
C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat

Filesize
212B

MD5
c96d26d50e17fd23537578619a71b900

SHA1
27c0764784c1eada0736b32d02181bf890f71b53

SHA256
ebfc3990799220f24631b105ddf6b0b718bebc78e43277b621da991bfadbc2d5

SHA512
f03cfc07150043a1fd7123f040758f95fab00572efbb996a0b630f3624786f4339eec13fe7af7f9609f0468111373e2f00c59b8ea90497549481284add3b69f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat

Filesize
212B

MD5
20b27bcc2a236009779c15b9afabc321

SHA1
e61c4b18a930b74b9cc48815cd5f6a79087cf1f7

SHA256
d204b2ae69160ef26709c0b580fd45fd0896a36ad29dbf63e97cee36f401623b

SHA512
923fea2a3fb82942b0aa14856961279dd91613c6cdeb3e8a136cc72661c7cafb43a9af8a8c10276dee44686e4b3e9d05699b26f5653be326939e1c0735930222

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdvgpfy6bM.bat

Filesize
212B

MD5
3db468a9abefa6f8778b289e477a8e50

SHA1
9f900c6b7fe21fcd32021e7198e77480974e35b0

SHA256
570b7ae5915be6aa632652740df49c07cba0f6580cad947d79191eb4a044c2e3

SHA512
cdf7a708a589dba9b09ed15fbb2ddfb79ca6dd6200f6fe489cd4aa4c480f579a0a0ddb89a87dbb5bc7829519f6e326cfba3f1cb9c6e53a5b727760073a14dc7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0e28532ab602c0eaa1467ab0f52d92d6

SHA1
24200fc84538e8759ceb3ae6c452e16b563e49ba

SHA256
f019ab29c5205688e1ec8e789f12b6ec0cc7e97d0f76fc0b5e17603736afdf68

SHA512
3d4eca6d953dbc612d3f7b398cd4c44a016b7c070366164075a34f938b91bf9b4420905488f0bdfb9b5b71273e3ead1c43028ed6eb6f2ee617ffc104edc8e224

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/768-146-0x0000000001340000-0x0000000001450000-memory.dmp

Filesize
1.1MB

Download
memory/1564-445-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/1940-64-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2036-87-0x0000000000D00000-0x0000000000E10000-memory.dmp

Filesize
1.1MB

Download
memory/2136-17-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/2136-16-0x0000000000990000-0x000000000099C000-memory.dmp

Filesize
48KB

Download
memory/2136-15-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/2136-14-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download
memory/2136-13-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/2232-325-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/2248-206-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/2360-63-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/2480-385-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2948-505-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download