dcrat | 569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb.exe
Size

1.3MB
MD5

5bbd166f7975753b899b34b400be0341
SHA1

740309cb77eb8fee4105d520bd44f8f0171ec3fb
SHA256

569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb
SHA512

a2f85c09f878c30fb6b3e0562ff21d3a6b4f23f49b2610052fe265ee8cc5f9dc508add38406d24b41d5d852d8b9eef04eb4b742121ec916b55c10be1c607554f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2908	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000186c8-9.dat	dcrat
behavioral1/memory/2776-13-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/1580-45-0x0000000000CB0000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/memory/1964-152-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat
behavioral1/memory/1652-331-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/2000-391-0x0000000000DC0000-0x0000000000ED0000-memory.dmp	dcrat
behavioral1/memory/2776-451-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/2536-512-0x0000000000800000-0x0000000000910000-memory.dmp	dcrat
behavioral1/memory/1524-573-0x0000000000B60000-0x0000000000C70000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1004	powershell.exe
772	powershell.exe
1656	powershell.exe
1048	powershell.exe
448	powershell.exe
1164	powershell.exe
1664	powershell.exe
1412	powershell.exe
2212	powershell.exe
700	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2776	DllCommonsvc.exe
1580	OSPPSVC.exe
1964	OSPPSVC.exe
2064	OSPPSVC.exe
2312	OSPPSVC.exe
1652	OSPPSVC.exe
2000	OSPPSVC.exe
2776	OSPPSVC.exe
2536	OSPPSVC.exe
1524	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
1028	cmd.exe
1028	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\spoolsv.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1352	schtasks.exe
320	schtasks.exe
2824	schtasks.exe
2204	schtasks.exe
2692	schtasks.exe
2096	schtasks.exe
2124	schtasks.exe
2948	schtasks.exe
2612	schtasks.exe
2696	schtasks.exe
1928	schtasks.exe
2452	schtasks.exe
2796	schtasks.exe
2412	schtasks.exe
3000	schtasks.exe
1032	schtasks.exe
2624	schtasks.exe
640	schtasks.exe
576	schtasks.exe
3056	schtasks.exe
476	schtasks.exe
1000	schtasks.exe
1532	schtasks.exe
2808	schtasks.exe
2488	schtasks.exe
2600	schtasks.exe
2504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2776	DllCommonsvc.exe
2776	DllCommonsvc.exe
2776	DllCommonsvc.exe
1664	powershell.exe
448	powershell.exe
2212	powershell.exe
1004	powershell.exe
1656	powershell.exe
772	powershell.exe
1048	powershell.exe
700	powershell.exe
1164	powershell.exe
1412	powershell.exe
1580	OSPPSVC.exe
1964	OSPPSVC.exe
2064	OSPPSVC.exe
2312	OSPPSVC.exe
1652	OSPPSVC.exe
2000	OSPPSVC.exe
2776	OSPPSVC.exe
2536	OSPPSVC.exe
1524	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	DllCommonsvc.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	1580	OSPPSVC.exe
Token: SeDebugPrivilege	1964	OSPPSVC.exe
Token: SeDebugPrivilege	2064	OSPPSVC.exe
Token: SeDebugPrivilege	2312	OSPPSVC.exe
Token: SeDebugPrivilege	1652	OSPPSVC.exe
Token: SeDebugPrivilege	2000	OSPPSVC.exe
Token: SeDebugPrivilege	2776	OSPPSVC.exe
Token: SeDebugPrivilege	2536	OSPPSVC.exe
Token: SeDebugPrivilege	1524	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2540	1752	569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb.exe	30
PID 1752 wrote to memory of 2540	1752	569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb.exe	30
PID 1752 wrote to memory of 2540	1752	569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb.exe	30
PID 1752 wrote to memory of 2540	1752	569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb.exe	30
PID 2540 wrote to memory of 1028	2540	WScript.exe	31
PID 2540 wrote to memory of 1028	2540	WScript.exe	31
PID 2540 wrote to memory of 1028	2540	WScript.exe	31
PID 2540 wrote to memory of 1028	2540	WScript.exe	31
PID 1028 wrote to memory of 2776	1028	cmd.exe	33
PID 1028 wrote to memory of 2776	1028	cmd.exe	33
PID 1028 wrote to memory of 2776	1028	cmd.exe	33
PID 1028 wrote to memory of 2776	1028	cmd.exe	33
PID 2776 wrote to memory of 1004	2776	DllCommonsvc.exe	62
PID 2776 wrote to memory of 1004	2776	DllCommonsvc.exe	62
PID 2776 wrote to memory of 1004	2776	DllCommonsvc.exe	62
PID 2776 wrote to memory of 448	2776	DllCommonsvc.exe	63
PID 2776 wrote to memory of 448	2776	DllCommonsvc.exe	63
PID 2776 wrote to memory of 448	2776	DllCommonsvc.exe	63
PID 2776 wrote to memory of 1164	2776	DllCommonsvc.exe	64
PID 2776 wrote to memory of 1164	2776	DllCommonsvc.exe	64
PID 2776 wrote to memory of 1164	2776	DllCommonsvc.exe	64
PID 2776 wrote to memory of 772	2776	DllCommonsvc.exe	65
PID 2776 wrote to memory of 772	2776	DllCommonsvc.exe	65
PID 2776 wrote to memory of 772	2776	DllCommonsvc.exe	65
PID 2776 wrote to memory of 2212	2776	DllCommonsvc.exe	66
PID 2776 wrote to memory of 2212	2776	DllCommonsvc.exe	66
PID 2776 wrote to memory of 2212	2776	DllCommonsvc.exe	66
PID 2776 wrote to memory of 1664	2776	DllCommonsvc.exe	67
PID 2776 wrote to memory of 1664	2776	DllCommonsvc.exe	67
PID 2776 wrote to memory of 1664	2776	DllCommonsvc.exe	67
PID 2776 wrote to memory of 1412	2776	DllCommonsvc.exe	68
PID 2776 wrote to memory of 1412	2776	DllCommonsvc.exe	68
PID 2776 wrote to memory of 1412	2776	DllCommonsvc.exe	68
PID 2776 wrote to memory of 1656	2776	DllCommonsvc.exe	69
PID 2776 wrote to memory of 1656	2776	DllCommonsvc.exe	69
PID 2776 wrote to memory of 1656	2776	DllCommonsvc.exe	69
PID 2776 wrote to memory of 700	2776	DllCommonsvc.exe	70
PID 2776 wrote to memory of 700	2776	DllCommonsvc.exe	70
PID 2776 wrote to memory of 700	2776	DllCommonsvc.exe	70
PID 2776 wrote to memory of 1048	2776	DllCommonsvc.exe	71
PID 2776 wrote to memory of 1048	2776	DllCommonsvc.exe	71
PID 2776 wrote to memory of 1048	2776	DllCommonsvc.exe	71
PID 2776 wrote to memory of 1580	2776	DllCommonsvc.exe	82
PID 2776 wrote to memory of 1580	2776	DllCommonsvc.exe	82
PID 2776 wrote to memory of 1580	2776	DllCommonsvc.exe	82
PID 1580 wrote to memory of 2180	1580	OSPPSVC.exe	84
PID 1580 wrote to memory of 2180	1580	OSPPSVC.exe	84
PID 1580 wrote to memory of 2180	1580	OSPPSVC.exe	84
PID 2180 wrote to memory of 2784	2180	cmd.exe	86
PID 2180 wrote to memory of 2784	2180	cmd.exe	86
PID 2180 wrote to memory of 2784	2180	cmd.exe	86
PID 2180 wrote to memory of 1964	2180	cmd.exe	87
PID 2180 wrote to memory of 1964	2180	cmd.exe	87
PID 2180 wrote to memory of 1964	2180	cmd.exe	87
PID 1964 wrote to memory of 1688	1964	OSPPSVC.exe	88
PID 1964 wrote to memory of 1688	1964	OSPPSVC.exe	88
PID 1964 wrote to memory of 1688	1964	OSPPSVC.exe	88
PID 1688 wrote to memory of 2260	1688	cmd.exe	90
PID 1688 wrote to memory of 2260	1688	cmd.exe	90
PID 1688 wrote to memory of 2260	1688	cmd.exe	90
PID 1688 wrote to memory of 2064	1688	cmd.exe	91
PID 1688 wrote to memory of 2064	1688	cmd.exe	91
PID 1688 wrote to memory of 2064	1688	cmd.exe	91
PID 2064 wrote to memory of 1408	2064	OSPPSVC.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb.exe
"C:\Users\Admin\AppData\Local\Temp\569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
    - - C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2784
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2260
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Iu2jWrKESR.bat"
        10⤵
        
        PID:1408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:904
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"
        12⤵
        
        PID:1448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2584
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"
        14⤵
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2124
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i0MStmnXAe.bat"
        16⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2616
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat"
        18⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1568
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"
        20⤵
        
        PID:288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1944
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat"
        22⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7dbde0806f9b8a9f77c8f5ff984a3b0c

SHA1
73b3597088cd2cf2de65fc0f480645d44cba2b72

SHA256
1d459d050ce6f3ad58a5e2a2a3105df340700000b636763e8eabbfda5d1e4d46

SHA512
4ba390d1b7888c1438d7d308e2459aab0abe01021d7526d1cf34008160dce72ca007d968d33f03c0c01f571f7bc9831d538306423540981900aa2ba5a8ce7dea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c252a02dbb28bbd5afaf4b413fb7da4f

SHA1
476a325bf34c63551c235879a2e358e8841660b1

SHA256
9ff56b1e2bbb0fe967ae65daced9421e5eebe29ba874825aaa37a2bf6c4f4e60

SHA512
5db3f91f512a49bd9568c2ce59a7b33716b2812c3321612a0242f1c2b7cf675792da8ac52db83fdbe1164051310cab408354866ac6c6e21c1b1342deb199f6f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b7aceb07db4223b8a16eb1e2fcdce8e

SHA1
3272f318fc4544f29d0560c3a3bf6dd53e288733

SHA256
411f4dd39949ba14c76b5f33c97b61787e0cb694eb5918cdc746db6e73503cbf

SHA512
1db0d9afed44336a8556812b6512db14c40437542c91eb88823bbce5e218e9960a9079f97137a2f52995dc0ce6f3f7c13163e7370030fced3fec41f63bd51f72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30c52c2280d5e9b7ab4acf86833edbe9

SHA1
ce4bca3aca7564e5cbb38d3346ee00c2475bc804

SHA256
c040d37ef048dddd657c0804396ddd065d77a117c1d02da9cbae484049e0e8c0

SHA512
c82a85e994a247aeed9edfd37ccff57c3c2b3176f8521e66d6e1f3d3883b89b7dcfd279758f2dc2237f5ab119639731dc7c9115fa22a8c17affe6c560355dd35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97e169317ec2cb9600f667f9a312fb2c

SHA1
9ec87cecf158b693873066ec4f9c8aa2c41dbb23

SHA256
f6c2123bd9fc060bef786f423a48305c92babc3c321fccdd23b45442361e8d67

SHA512
614bb60f461b4f3263e8154f18009b2d11ce068f195b7b62df0f908deb373ced7a46dab4055b67ef571c3bc28ce1ce6406555e47b159629cf7c3d6ef498aa140

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49306fd54403cd77ff3e8ed55521453d

SHA1
61a92c1fa532c542363f0d1f47a4d756108f1f21

SHA256
c89090b914860ec20c6b79a922e424199cbe901ef23efcffa41d788d59a99834

SHA512
d80f1ca22dc311b2a3537a777adc8e5d4a6782b6b3d6a196cf2fff126185bcf84b8c335fb591a7b2a47e8d5805f60809ef08403cb08d3bcf7b7f5632cdb1a01a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8c26f114c0ce090e025dcd1600dac34

SHA1
c275e8d8bce6b945bd501a271770b4488ba96059

SHA256
61ecc5c6905631389c587fbe2937e9af3029c12a5d82e95088acd510e95813dc

SHA512
87bd07183e270e484ec9928ad39d36c58052eb3477b80b3d4784670680986b7df47e0748625e8a6951fb91457c413f2efe00cd395444a25c3647329ec8ba7313

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1574c8a6a70bef851b391d2bcc6fd0a3

SHA1
64a1d72ddc6ca5363474418448e35b95dd02a331

SHA256
4e9182dcd2765013de5311caf31f80dc2cc490bf368f36390c4d9a2b3a27e923

SHA512
5346d1870ee554631202242d16aea94b830000e868d8bc00165d67c4ccdfad695fe2345499d73c54455a62ad6c13877d6d830fe2f67bc4b05ace7d2733b7641b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat

Filesize
225B

MD5
42ee7dce068ce1de4d3b6be30cde50fc

SHA1
0452c9c30c65e4f9e2f8e90c0db4de07c60a39d5

SHA256
607e290292557914b6f884c0b0a40e9742fea2496445c002bd27aa58896bc89e

SHA512
bac97b298fde6b907618a289088af0fe03b1e27226ec59ef672fd9d7a4fb4359bb08f8b77379b99f5cb6d2959174c911cd5585f0c18f0dc44be595c140f954b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat

Filesize
225B

MD5
81c48efac07619e4c8c410933bae83de

SHA1
7615f07464f01896d23f62c989ec33fd820e2dbc

SHA256
a99d8beb654fd04fb96bfc4cf3ca2797c79390eac790d4db0da192ca2bfda764

SHA512
df998f22283097d014b1bb0719dd414bc5fcc31ec4612a6cd8129fac02679eec0350a8914809defbdce0ef60eedc6883f59c6c687e53046d0166814a11c97c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDE50.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iu2jWrKESR.bat

Filesize
225B

MD5
d0dbd82f0ec9aac61d3dc638808a43b9

SHA1
32fb559b9168da4299c116487d42fefd755b70d5

SHA256
235339c45ceb715d753b1bec4f515ef6e20df3f8dc18145f675d92107403da24

SHA512
8651cc77a4c774021e57749aaa9ee6d050a876539a3a4064c0f0743a236683c02f9ea30c8ab98c1ad60d4b89cace13cced0fd81f4bba2c2b8dac97da0a4de818

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat

Filesize
225B

MD5
d184ef178715e2d6700a48a89c8b6fd9

SHA1
ec2d62a8d89696e7d143340548323f9b4e9db77e

SHA256
b7ea5020f37afc4e3b0fc5be6545b2387c21ddecdb14e7cdd4298d0700500ecd

SHA512
f5f9e338b1e9cff1cb3da040fc98fac870b0c7c64bd1f3b58199e9aa390242b4f051bf3c9d00bc726f433a392773a3fb3a867f3b660308f65013ca8154aa6e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDE72.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat

Filesize
225B

MD5
16baad11548c79111241a20e943c60e3

SHA1
655afd71bdcf51ddbc5be969edba637b5bf9097d

SHA256
c380e7f8d88264b62c125861cd313fbd28d19e49456c795f9777dac2da195527

SHA512
e7528be53ddbf80d50223e8152dfc1fe1e035c6cd5d7947e9df3d2a7530cc78235588429de9e3a3494df96f7d2e6defc03e7bad4eebd8ca4d15db5288c2aa212

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat

Filesize
225B

MD5
5e847f769d59f404a93402f05bd0fffe

SHA1
7d100c4e32c57eef5f51bdbeedec6d64720b1d96

SHA256
8967fc3cc78adbb52c7a9edbea76eb065ca01a461abd6f11539e50342a1735a7

SHA512
741bec773325cc9d0b56616bbf8b4a579e6e3444022eb9f995437c96609e396db097ce0d176e8337d7a6d1e8f66df0c31274b51508160c1a7cb82261cb781ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\i0MStmnXAe.bat

Filesize
225B

MD5
b69755bfe51206f557882c6cb918f105

SHA1
5d6beec0f39dd895e8409ef0ae4e174dd2f62504

SHA256
fd0f1408ffec63933ea8b0868fd6d0e7024068c2942b01343588f5813b00355d

SHA512
479bec8222ddfeb962214bdb7b7ea5326d16c892f3637951324eaa33f76f0a628b4eadf38caaa7b4db302e915f7081d174905bff16fdb9bff9f353febc374d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat

Filesize
225B

MD5
9e75436a75cd0771d0ffb076f3509d36

SHA1
5c8a7fdd6c0db0289320ec717c1b699853931b56

SHA256
78847737c658e147a7308d5e12ef67e152f9b8ee65a3916a777084027596d741

SHA512
f0aa4e69af239075150d4bfaa5a24786dc0bea43d65afd8118e2b2ecf1f612429fc552b8b7e20ede53caf254ee57f3548a5c8489f1281efd9083adb6929a6d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat

Filesize
225B

MD5
de2697292458d5cd8de07703c6bfd63d

SHA1
33ee298f86a848ea4b507b19fccbdcf5746d7022

SHA256
8646bcd1a7c52be65036c9ab8613cfac8925b63dfce8b869b726f876f61494b9

SHA512
6997d3bf4e7af17141f25a4499e0110daa62516cfd40982b1dedd05d83f4609d89c6cc4b5ff5bed92c95903e91e43b0482c9cd5f7e8cfc627921db1344be9bd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d64f6f322b4f26603f0bb468a80f6e7f

SHA1
0090d7d633eb863a98e82672eddf84d685f9e4e8

SHA256
df7a208ce1685a54d3a7decf8b3d01da9e3d78b486651a07660c03bebee7b82d

SHA512
33dd926aa0be4aee3ee0e75cf46b1e525928def9c352457464adeb252985497189c9ec18952e6798efdd66d09abfd5832a06a42bae4b366c1f7d26b5635b09c1

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/448-53-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/448-54-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/1524-573-0x0000000000B60000-0x0000000000C70000-memory.dmp

Filesize
1.1MB

Download
memory/1580-45-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

Filesize
1.1MB

Download
memory/1652-331-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/1964-153-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1964-152-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/2000-391-0x0000000000DC0000-0x0000000000ED0000-memory.dmp

Filesize
1.1MB

Download
memory/2536-512-0x0000000000800000-0x0000000000910000-memory.dmp

Filesize
1.1MB

Download
memory/2536-513-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/2776-17-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2776-452-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2776-16-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2776-15-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2776-451-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/2776-14-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2776-13-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download