dcrat | 67ce72358f361a21340373a3eefb4ba742659086e11cd3e4565431a721b707f3

Analysis

max time kernel
145s
max time network
141s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67ce72358f361a21340373a3eefb4ba742659086e11cd3e4565431a721b707f3.exe
Size

1.3MB
MD5

e9d5e1e80ed7cb0d72f3c85d5de7be83
SHA1

dfbbce3d60e19c596ac5c630fc18e2ee21ce8e2c
SHA256

67ce72358f361a21340373a3eefb4ba742659086e11cd3e4565431a721b707f3
SHA512

05aa0bc06eb200b590f2c76bede906d88899064d3a646fe94909630c2369f999c909fc1ee4a46fae51cb92f0757ecce98f6bc539123dd384d939d81e3672f348
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2424	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2424	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d0e-9.dat	dcrat
behavioral1/memory/2896-13-0x0000000000E20000-0x0000000000F30000-memory.dmp	dcrat
behavioral1/memory/700-92-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/1520-151-0x0000000000870000-0x0000000000980000-memory.dmp	dcrat
behavioral1/memory/2236-211-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat
behavioral1/memory/2440-331-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/2016-391-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/memory/680-510-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/2684-571-0x0000000001360000-0x0000000001470000-memory.dmp	dcrat
behavioral1/memory/448-691-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2032	powershell.exe
1708	powershell.exe
696	powershell.exe
952	powershell.exe
1412	powershell.exe
2576	powershell.exe
1048	powershell.exe
1160	powershell.exe
1508	powershell.exe
928	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2896	DllCommonsvc.exe
700	lsm.exe
1520	lsm.exe
2236	lsm.exe
2680	lsm.exe
2440	lsm.exe
2016	lsm.exe
1824	lsm.exe
680	lsm.exe
2684	lsm.exe
1028	lsm.exe
448	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2812	cmd.exe
2812	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\101b941d020240	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67ce72358f361a21340373a3eefb4ba742659086e11cd3e4565431a721b707f3.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2452	schtasks.exe
2340	schtasks.exe
2564	schtasks.exe
2172	schtasks.exe
2912	schtasks.exe
2792	schtasks.exe
560	schtasks.exe
1484	schtasks.exe
1168	schtasks.exe
2168	schtasks.exe
2848	schtasks.exe
1916	schtasks.exe
2272	schtasks.exe
2984	schtasks.exe
3016	schtasks.exe
1696	schtasks.exe
2328	schtasks.exe
1600	schtasks.exe
644	schtasks.exe
912	schtasks.exe
3020	schtasks.exe
2380	schtasks.exe
3004	schtasks.exe
2108	schtasks.exe
3052	schtasks.exe
2412	schtasks.exe
2820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2896	DllCommonsvc.exe
1160	powershell.exe
928	powershell.exe
2032	powershell.exe
1048	powershell.exe
1708	powershell.exe
1412	powershell.exe
696	powershell.exe
1508	powershell.exe
2576	powershell.exe
952	powershell.exe
700	lsm.exe
1520	lsm.exe
2236	lsm.exe
2680	lsm.exe
2440	lsm.exe
2016	lsm.exe
1824	lsm.exe
680	lsm.exe
2684	lsm.exe
1028	lsm.exe
448	lsm.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	DllCommonsvc.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	700	lsm.exe
Token: SeDebugPrivilege	1520	lsm.exe
Token: SeDebugPrivilege	2236	lsm.exe
Token: SeDebugPrivilege	2680	lsm.exe
Token: SeDebugPrivilege	2440	lsm.exe
Token: SeDebugPrivilege	2016	lsm.exe
Token: SeDebugPrivilege	1824	lsm.exe
Token: SeDebugPrivilege	680	lsm.exe
Token: SeDebugPrivilege	2684	lsm.exe
Token: SeDebugPrivilege	1028	lsm.exe
Token: SeDebugPrivilege	448	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2756	2732	67ce72358f361a21340373a3eefb4ba742659086e11cd3e4565431a721b707f3.exe	31
PID 2732 wrote to memory of 2756	2732	67ce72358f361a21340373a3eefb4ba742659086e11cd3e4565431a721b707f3.exe	31
PID 2732 wrote to memory of 2756	2732	67ce72358f361a21340373a3eefb4ba742659086e11cd3e4565431a721b707f3.exe	31
PID 2732 wrote to memory of 2756	2732	67ce72358f361a21340373a3eefb4ba742659086e11cd3e4565431a721b707f3.exe	31
PID 2756 wrote to memory of 2812	2756	WScript.exe	32
PID 2756 wrote to memory of 2812	2756	WScript.exe	32
PID 2756 wrote to memory of 2812	2756	WScript.exe	32
PID 2756 wrote to memory of 2812	2756	WScript.exe	32
PID 2812 wrote to memory of 2896	2812	cmd.exe	34
PID 2812 wrote to memory of 2896	2812	cmd.exe	34
PID 2812 wrote to memory of 2896	2812	cmd.exe	34
PID 2812 wrote to memory of 2896	2812	cmd.exe	34
PID 2896 wrote to memory of 1048	2896	DllCommonsvc.exe	63
PID 2896 wrote to memory of 1048	2896	DllCommonsvc.exe	63
PID 2896 wrote to memory of 1048	2896	DllCommonsvc.exe	63
PID 2896 wrote to memory of 1708	2896	DllCommonsvc.exe	64
PID 2896 wrote to memory of 1708	2896	DllCommonsvc.exe	64
PID 2896 wrote to memory of 1708	2896	DllCommonsvc.exe	64
PID 2896 wrote to memory of 1160	2896	DllCommonsvc.exe	65
PID 2896 wrote to memory of 1160	2896	DllCommonsvc.exe	65
PID 2896 wrote to memory of 1160	2896	DllCommonsvc.exe	65
PID 2896 wrote to memory of 1508	2896	DllCommonsvc.exe	66
PID 2896 wrote to memory of 1508	2896	DllCommonsvc.exe	66
PID 2896 wrote to memory of 1508	2896	DllCommonsvc.exe	66
PID 2896 wrote to memory of 696	2896	DllCommonsvc.exe	67
PID 2896 wrote to memory of 696	2896	DllCommonsvc.exe	67
PID 2896 wrote to memory of 696	2896	DllCommonsvc.exe	67
PID 2896 wrote to memory of 952	2896	DllCommonsvc.exe	68
PID 2896 wrote to memory of 952	2896	DllCommonsvc.exe	68
PID 2896 wrote to memory of 952	2896	DllCommonsvc.exe	68
PID 2896 wrote to memory of 1412	2896	DllCommonsvc.exe	69
PID 2896 wrote to memory of 1412	2896	DllCommonsvc.exe	69
PID 2896 wrote to memory of 1412	2896	DllCommonsvc.exe	69
PID 2896 wrote to memory of 2576	2896	DllCommonsvc.exe	70
PID 2896 wrote to memory of 2576	2896	DllCommonsvc.exe	70
PID 2896 wrote to memory of 2576	2896	DllCommonsvc.exe	70
PID 2896 wrote to memory of 928	2896	DllCommonsvc.exe	71
PID 2896 wrote to memory of 928	2896	DllCommonsvc.exe	71
PID 2896 wrote to memory of 928	2896	DllCommonsvc.exe	71
PID 2896 wrote to memory of 2032	2896	DllCommonsvc.exe	72
PID 2896 wrote to memory of 2032	2896	DllCommonsvc.exe	72
PID 2896 wrote to memory of 2032	2896	DllCommonsvc.exe	72
PID 2896 wrote to memory of 1544	2896	DllCommonsvc.exe	83
PID 2896 wrote to memory of 1544	2896	DllCommonsvc.exe	83
PID 2896 wrote to memory of 1544	2896	DllCommonsvc.exe	83
PID 1544 wrote to memory of 2856	1544	cmd.exe	85
PID 1544 wrote to memory of 2856	1544	cmd.exe	85
PID 1544 wrote to memory of 2856	1544	cmd.exe	85
PID 1544 wrote to memory of 700	1544	cmd.exe	86
PID 1544 wrote to memory of 700	1544	cmd.exe	86
PID 1544 wrote to memory of 700	1544	cmd.exe	86
PID 700 wrote to memory of 2612	700	lsm.exe	87
PID 700 wrote to memory of 2612	700	lsm.exe	87
PID 700 wrote to memory of 2612	700	lsm.exe	87
PID 2612 wrote to memory of 2624	2612	cmd.exe	89
PID 2612 wrote to memory of 2624	2612	cmd.exe	89
PID 2612 wrote to memory of 2624	2612	cmd.exe	89
PID 2612 wrote to memory of 1520	2612	cmd.exe	90
PID 2612 wrote to memory of 1520	2612	cmd.exe	90
PID 2612 wrote to memory of 1520	2612	cmd.exe	90
PID 1520 wrote to memory of 3028	1520	lsm.exe	91
PID 1520 wrote to memory of 3028	1520	lsm.exe	91
PID 1520 wrote to memory of 3028	1520	lsm.exe	91
PID 3028 wrote to memory of 1980	3028	cmd.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\67ce72358f361a21340373a3eefb4ba742659086e11cd3e4565431a721b707f3.exe
"C:\Users\Admin\AppData\Local\Temp\67ce72358f361a21340373a3eefb4ba742659086e11cd3e4565431a721b707f3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7X17DqVmvH.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2856
      - C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svsOdT1nlB.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2624
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1980
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"
        11⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2484
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"
        13⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2604
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"
        15⤵
        
        PID:928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3060
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
        17⤵
        
        PID:1800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:912
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat"
        19⤵
        
        PID:2260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2420
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat"
        21⤵
        
        PID:2368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1284
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat"
        23⤵
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1744
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"
        25⤵
        
        PID:2200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3004
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Application Data\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Application Data\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\ModemLogs\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ModemLogs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f47198d6bad817b4e36454c611f4f36

SHA1
b0272455ed1e2939d6611cd6edabae552bfb4bc2

SHA256
3a04600ed15e224027bee8f073c99c0e586d34e226415695dd96f40c677d3bcf

SHA512
31f016512ef1fb244eef0fc005ad61d04efee7058c6b4699e0f4a52c8e525c6f1376d36c1a8bedbae388f6894ec3a99eac2caf89b861c90f2c7494c345aefdd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
557c3c51d4cefeb410855b97122be011

SHA1
c692b91f728ed2db1a21cb17b9a0a51a310b67a0

SHA256
755234faf4ed5e36738797c59a69170344fd5db826572bca8774b1df38f75fe4

SHA512
c4a9bdcba364aad15e81247774d9ef9dc635edc4bbeb66fcf4600f108705659dc90cfdad512cfc8ecdb984959f2abf1687b5304fe5d9779a1a62fe8acda49c20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3849f10886a2a64ed2a99430f596aec8

SHA1
b667aa538c4fbe81b481f37701a44947ba797dd1

SHA256
e97ee150701604f2dccc772a67d77fa3b0530774dafa026426f94893995707f8

SHA512
255fc8609ba0b58c40711f02c5f0212d3781367bee6b8c3e9a3d1c17e56a4b8c2ba3255fffa54bab5465ff0a02f64b76e4b5e695f3fda3e682cef3e0c4738537

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a35f337cc33f1d4d40757ae5a4a2ebf8

SHA1
0fd198d48d4658895651d059cc51f3a6f674be74

SHA256
edcd59756e9f3cddbaeba31e56b863f9f20af8fd25ed3db488530c7969185ff9

SHA512
6d563ad1011c49765c295447868c1d06c1d2f059cb3f2377abf873d1a8567088a18a62688b9e65e044b505a8564cb83ed1400d72446b898b810f11ff5e8f3e90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82209d5fa00cfb52802359ccc33fd920

SHA1
97b9d4915d0d73098d2db618300d4c90c31c44b2

SHA256
fe4dd72120a2e43b9116aa0225c9b32acb725d7c57ca3ff52ae27ec81fecf1f0

SHA512
0a8a153cfd5386e9fe42609bf3f952732e3771fb82dfdc252f0333103ad44077de9182344a6c11dfba80b3af3581819f47e63b8041b7ffb274b10b55daf5893f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45c755d9a12e5cf5c11db3b1fe887461

SHA1
656066e33ba0a8cc8e16cb77d5ce36c6d677a984

SHA256
b03c721ab1c23b7b98998246839882e278bf7a156242735233971ccc853d0aa5

SHA512
4c5364d8b17b6a1194f50f54dfc630cad809558e930879a73a7a6171f9ccd041699d2a15ecb0e6fda2340b2f0791a355a2b0ff6a2b3db2b711b050199d9a98e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
294cf56ad616fad057c7d999ba5da5a0

SHA1
429da4ae9791ab1d96e343405caf30524e4910c0

SHA256
c2e17901482eeea581822aea54450301ca9953e9168e3a5b2692f643fa671d65

SHA512
4227980984114a7e4f187a389c552884001a191937086570413e3362e5709b0e22fa3db2d136c460e8b715d8267ff70caa77a8495817631bf70282a82c58709f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcd7ef27e2d4d1c142da5fd32ddb0f34

SHA1
c99fee63c157396450d6f8a93f5dfeaa29badc59

SHA256
26c639f3be1ec24c11d16c12d35624c91aaeb057f42a1472a547bdcad82b1fcf

SHA512
40cece5b0a38f3e58ce65b1920aa002ad9359decbb9a56218298e22e42edc3ec06e29dc2b8edca41eccc3f3814c3fb7d358c3aca00617c45baed49bf515aa414

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edd21b6da963cd11692025cfda5acc57

SHA1
cb2f24b06bed5b7072151920e1996900341ff587

SHA256
3b53d3c1d634d331ed92e458a6932cc36729b1786688a38e2f26fa6f81bbba60

SHA512
2871057b94fdb2ecd9aff1c7c1752a2e82bb75a192d31af8092965826c7e474d1110d1af6a81b1efd86d822c005469269cc11b9cf8175e2ecb517ecc16a967b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat

Filesize
221B

MD5
2be02e7bd649ec3d9cf8cbb3823cd03e

SHA1
3a52bd09b443251ae6ec324c50673b618602cd87

SHA256
075194d3fd863f42337fe49dd87ca1149b3a852a9458a4343bbd2e84e838211c

SHA512
1a472e0eeb3249f92cc0c96b91340c7d0bdae316cdb772dd216a23c1de6df0628661a139af41f630ab6a00a3e5eecd4aa2a7d1affd8fba188a78a39e1806fa7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7X17DqVmvH.bat

Filesize
221B

MD5
5cb1e9d81504950ec920f8acb5e351fd

SHA1
e25ff09a641a62ad715d4c00f0fb9756cb53b2bc

SHA256
4fe74e456bf6ac6596ed161755d87d586a50c5267b380d7fb6cd86b3ae230a5e

SHA512
4b9c9a09e45fe5e858d679be23307ade60f8a13a520f6db7eebac83b4c885ce64a936b02bed9038b61c6679a0217a5ee6c4b2cff7eebe4f6619a70b9e4ee86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat

Filesize
221B

MD5
4cc165d80e201b0a7669b71350a205dd

SHA1
a0cce7379cd043e3c2e4b895f14e51e33658d89a

SHA256
3765e341cb07c0274f84dbc319112588c73001c7b0eb6149f5d7df2aa9019bd3

SHA512
6f4c207c34d65297538970d46bcd6a1a9ae7345ce01f68470e061eb0c3d714e2bc1d51ff2711b76614ca3fce67e474036b8774161f6467dab96315af63982341

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab34E8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat

Filesize
221B

MD5
481417cecd1be355bcadf4d6f1520ea6

SHA1
2c9939523a005ec8eb432310670f3cf74a971cd8

SHA256
87dfe6df93520a84513ff79c597d5514246f4f8a1b2d3b00f0ac30acdb6c06d1

SHA512
d8307bc6f1abd74105225d996ce97731bc5e515a858e01510e6491ddc32522f26b5d7641da9f53c6ccd8c53c0c1b8042b2a6430b02a8c5f3ec6cbb0a28a34675

Download Submit
C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat

Filesize
221B

MD5
34a79043392e3528b7cf11cfb7d49f15

SHA1
d183d0b04fbd96159819f04215eb8220a8e190d8

SHA256
951109a40826a607a38b2f4b2fee1dcd19eaa4843e9610c157e6e853892f6464

SHA512
bf093b95bdcc06669e58a5a890c04bbb8195093392a7dbaf8615070aa76d1406d384e7d92a6ed1142e86eece2161ad9a2601f95ac434eb5f7b1363896f7e4e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat

Filesize
221B

MD5
25e84500dc0015d821a1d8926602f689

SHA1
51b2ed0e304a9e40191a67ec2898ba3b562c6b1a

SHA256
dceb7cf25793fea6248dcc4b7e27aecc2db70b4b0726b2c54069703dc865d37a

SHA512
91824022df4c002f518d071039df47a456226a69f087f2689786745af7254a49305777a694a7f867ab5fc7fb15aa6f23f080a0249a7cf82bea6e5f155c6aa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat

Filesize
221B

MD5
e3e90768794e7c2f5493d9a43c37a37c

SHA1
91db526b7000631b2b6a3469833723d9e31cce60

SHA256
cb7fa293218531518d3809baf7a343b84e1d98110ef8ac153a6825cf07be88e2

SHA512
ca8cd1ae64cd4e0082374851d42b913037851422315ac74657b06525e60b91e428fc671f3efb2c8494dde852df5a535ea0a980a160debf8a41e1a781eb8db4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat

Filesize
221B

MD5
f17ad57c98f0290bf04d218f8c5d04ca

SHA1
0e46fe0c400cddc2215e090a1e19ad6c8d8604b8

SHA256
e5a74f44046611d4dd68c2badc2d9482c91bc38c322aaa11326a35283fde703f

SHA512
ae33e73bacbb9d20ac1916dc432a2e9411fb88c23a2e746a631904496714a293b76b3646d2efb04a65a204c40e0c445592f49dd28279ef39e332b731e5fb93ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar34FA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat

Filesize
221B

MD5
a7940aa6fee29a1448bd020fc5e7c43e

SHA1
224b49bd7173a6c9e73e78b907201b681e950832

SHA256
ec14140a904786039ed0cd6bf981170da68ba0953087f28b9a697619276ed04c

SHA512
a230896761b427ea82692cfca70f7b4ed4bd1d7de1a1f6e80949aed1e9f2de48ea77541271514d840c808bc848dfa61e4485ad4599d21b24c3529708430a2851

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat

Filesize
221B

MD5
496fe46fb18a270d00f870cc24136369

SHA1
4ecc83bfb948644c04a02ee0087381123b3f7f85

SHA256
6fbac20568c3f80f7806225eac7bc56212d2e97620a755a5cd5434f3e36ef3b2

SHA512
c568cf2c0eae0ee50deba84dd368322c8386cd2dec486c497a3ed753b2980d884fab8e68b01c52574ef1d5bae40f5d39fe2ca5d59771be876338d3cffbbf297d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svsOdT1nlB.bat

Filesize
221B

MD5
05cd531ed2b1ffebe1c2a42a0478e374

SHA1
e233d4fbcf73ad0b5a088a57009437ef8a4bef35

SHA256
e2662ac13eb4165bf7058591e756fd5542b4acc99668bd41807b50f9c82d427f

SHA512
bc1af975751c351e3d63a64d15cfd171fb99b1534915a27bb84683f12e95a93f920ceb241b1c624f116fc0335248607d6e3c2852ad6f86c6414ff67052bbd078

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d64c88f241b26f3ed29f9c7c1192e367

SHA1
01ea94c212cd7df078a792116821039cd284ce6d

SHA256
0595d6c72ded1dd4a0a933ddb02346cacd79cd91cfe8db37717a919d6bb755d6

SHA512
0a337e45a6b352df330ea0e6fa46923725d8e2ad74998afe8265fd90c4127283fbab6e58ae1b3416b0cdc3e52a209c5b620afd3168767e4d44b0b33127a5f235

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/448-691-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/680-510-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/680-511-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/700-92-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/1160-59-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/1160-58-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/1520-151-0x0000000000870000-0x0000000000980000-memory.dmp

Filesize
1.1MB

Download
memory/2016-391-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/2236-212-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2236-211-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/2440-331-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2684-571-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download
memory/2684-572-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/2896-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2896-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2896-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2896-13-0x0000000000E20000-0x0000000000F30000-memory.dmp

Filesize
1.1MB

Download
memory/2896-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download