dcrat | acdbc769b489332e21c774410ee663bcb1290453b619397f698416ef6d9d12bf

Analysis

max time kernel
146s
max time network
145s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
31-10-2022 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acdbc769b489332e21c774410ee663bcb1290453b619397f698416ef6d9d12bf.exe
Size

1.3MB
MD5

036f4cfd5820982c714f10429ac5de75
SHA1

16805ed4f921652bd881f96fb761f7a89d2e040c
SHA256

acdbc769b489332e21c774410ee663bcb1290453b619397f698416ef6d9d12bf
SHA512

da159d5500a90885bb7a3334d9ee68b88057a3d9a860e48bb2299548adb9ae8884089ac07856e55000876fcf37670ba56861257dc6d1851205b962c95a29c290
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	3968	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	3968	schtasks.exe	70

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001ac17-284.dat	dcrat
behavioral1/files/0x000900000001ac17-285.dat	dcrat
behavioral1/memory/3768-286-0x0000000000A70000-0x0000000000B80000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac35-618.dat	dcrat
behavioral1/files/0x000600000001ac35-617.dat	dcrat
behavioral1/files/0x000600000001ac35-689.dat	dcrat
behavioral1/files/0x000600000001ac35-696.dat	dcrat
behavioral1/files/0x000600000001ac35-701.dat	dcrat
behavioral1/files/0x000600000001ac35-707.dat	dcrat
behavioral1/files/0x000600000001ac35-713.dat	dcrat
behavioral1/files/0x000600000001ac35-718.dat	dcrat
behavioral1/files/0x000600000001ac35-723.dat	dcrat
behavioral1/files/0x000600000001ac35-728.dat	dcrat

Executes dropped EXE 10 IoCs

pid	Process
3768	DllCommonsvc.exe
4848	wininit.exe
4704	wininit.exe
4540	wininit.exe
4560	wininit.exe
1872	wininit.exe
4332	wininit.exe
2788	wininit.exe
2960	wininit.exe
2880	wininit.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\it-IT\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\smss.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\ImmersiveControlPanel\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\ImmersiveControlPanel\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4468	schtasks.exe
4872	schtasks.exe
4664	schtasks.exe
4452	schtasks.exe
1048	schtasks.exe
4308	schtasks.exe
4012	schtasks.exe
4824	schtasks.exe
4740	schtasks.exe
4248	schtasks.exe
3276	schtasks.exe
4736	schtasks.exe
4840	schtasks.exe
5104	schtasks.exe
3284	schtasks.exe
4796	schtasks.exe
4432	schtasks.exe
524	schtasks.exe
1140	schtasks.exe
4804	schtasks.exe
3408	schtasks.exe
3364	schtasks.exe
2804	schtasks.exe
4104	schtasks.exe
528	schtasks.exe
4920	schtasks.exe
4732	schtasks.exe
4764	schtasks.exe
2264	schtasks.exe
4456	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	acdbc769b489332e21c774410ee663bcb1290453b619397f698416ef6d9d12bf.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	wininit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3768	DllCommonsvc.exe
3768	DllCommonsvc.exe
3768	DllCommonsvc.exe
3768	DllCommonsvc.exe
3768	DllCommonsvc.exe
3768	DllCommonsvc.exe
3768	DllCommonsvc.exe
3768	DllCommonsvc.exe
3768	DllCommonsvc.exe
3768	DllCommonsvc.exe
3768	DllCommonsvc.exe
3768	DllCommonsvc.exe
3768	DllCommonsvc.exe
3768	DllCommonsvc.exe
3768	DllCommonsvc.exe
3768	DllCommonsvc.exe
3768	DllCommonsvc.exe
3580	powershell.exe
4032	powershell.exe
216	powershell.exe
96	powershell.exe
96	powershell.exe
2220	powershell.exe
2220	powershell.exe
632	powershell.exe
632	powershell.exe
4808	powershell.exe
4808	powershell.exe
2296	powershell.exe
2296	powershell.exe
1632	powershell.exe
1632	powershell.exe
2068	powershell.exe
2068	powershell.exe
1020	powershell.exe
1020	powershell.exe
2068	powershell.exe
1632	powershell.exe
4808	powershell.exe
3580	powershell.exe
3580	powershell.exe
4032	powershell.exe
4032	powershell.exe
96	powershell.exe
216	powershell.exe
216	powershell.exe
2220	powershell.exe
632	powershell.exe
2296	powershell.exe
1020	powershell.exe
2068	powershell.exe
1632	powershell.exe
4808	powershell.exe
3580	powershell.exe
216	powershell.exe
4032	powershell.exe
2220	powershell.exe
96	powershell.exe
632	powershell.exe
1020	powershell.exe
2296	powershell.exe
4848	wininit.exe
4848	wininit.exe
4704	wininit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3768	DllCommonsvc.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	96	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeIncreaseQuotaPrivilege	1632	powershell.exe
Token: SeSecurityPrivilege	1632	powershell.exe
Token: SeTakeOwnershipPrivilege	1632	powershell.exe
Token: SeLoadDriverPrivilege	1632	powershell.exe
Token: SeSystemProfilePrivilege	1632	powershell.exe
Token: SeSystemtimePrivilege	1632	powershell.exe
Token: SeProfSingleProcessPrivilege	1632	powershell.exe
Token: SeIncBasePriorityPrivilege	1632	powershell.exe
Token: SeCreatePagefilePrivilege	1632	powershell.exe
Token: SeBackupPrivilege	1632	powershell.exe
Token: SeRestorePrivilege	1632	powershell.exe
Token: SeShutdownPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeSystemEnvironmentPrivilege	1632	powershell.exe
Token: SeRemoteShutdownPrivilege	1632	powershell.exe
Token: SeUndockPrivilege	1632	powershell.exe
Token: SeManageVolumePrivilege	1632	powershell.exe
Token: 33	1632	powershell.exe
Token: 34	1632	powershell.exe
Token: 35	1632	powershell.exe
Token: 36	1632	powershell.exe
Token: SeIncreaseQuotaPrivilege	2068	powershell.exe
Token: SeSecurityPrivilege	2068	powershell.exe
Token: SeTakeOwnershipPrivilege	2068	powershell.exe
Token: SeLoadDriverPrivilege	2068	powershell.exe
Token: SeSystemProfilePrivilege	2068	powershell.exe
Token: SeSystemtimePrivilege	2068	powershell.exe
Token: SeProfSingleProcessPrivilege	2068	powershell.exe
Token: SeIncBasePriorityPrivilege	2068	powershell.exe
Token: SeCreatePagefilePrivilege	2068	powershell.exe
Token: SeBackupPrivilege	2068	powershell.exe
Token: SeRestorePrivilege	2068	powershell.exe
Token: SeShutdownPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeSystemEnvironmentPrivilege	2068	powershell.exe
Token: SeRemoteShutdownPrivilege	2068	powershell.exe
Token: SeUndockPrivilege	2068	powershell.exe
Token: SeManageVolumePrivilege	2068	powershell.exe
Token: 33	2068	powershell.exe
Token: 34	2068	powershell.exe
Token: 35	2068	powershell.exe
Token: 36	2068	powershell.exe
Token: SeIncreaseQuotaPrivilege	4808	powershell.exe
Token: SeSecurityPrivilege	4808	powershell.exe
Token: SeTakeOwnershipPrivilege	4808	powershell.exe
Token: SeLoadDriverPrivilege	4808	powershell.exe
Token: SeSystemProfilePrivilege	4808	powershell.exe
Token: SeSystemtimePrivilege	4808	powershell.exe
Token: SeProfSingleProcessPrivilege	4808	powershell.exe
Token: SeIncBasePriorityPrivilege	4808	powershell.exe
Token: SeCreatePagefilePrivilege	4808	powershell.exe
Token: SeBackupPrivilege	4808	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 3740	2180	acdbc769b489332e21c774410ee663bcb1290453b619397f698416ef6d9d12bf.exe	66
PID 2180 wrote to memory of 3740	2180	acdbc769b489332e21c774410ee663bcb1290453b619397f698416ef6d9d12bf.exe	66
PID 2180 wrote to memory of 3740	2180	acdbc769b489332e21c774410ee663bcb1290453b619397f698416ef6d9d12bf.exe	66
PID 3740 wrote to memory of 4596	3740	WScript.exe	67
PID 3740 wrote to memory of 4596	3740	WScript.exe	67
PID 3740 wrote to memory of 4596	3740	WScript.exe	67
PID 4596 wrote to memory of 3768	4596	cmd.exe	69
PID 4596 wrote to memory of 3768	4596	cmd.exe	69
PID 3768 wrote to memory of 4808	3768	DllCommonsvc.exe	101
PID 3768 wrote to memory of 4808	3768	DllCommonsvc.exe	101
PID 3768 wrote to memory of 3580	3768	DllCommonsvc.exe	102
PID 3768 wrote to memory of 3580	3768	DllCommonsvc.exe	102
PID 3768 wrote to memory of 4032	3768	DllCommonsvc.exe	103
PID 3768 wrote to memory of 4032	3768	DllCommonsvc.exe	103
PID 3768 wrote to memory of 96	3768	DllCommonsvc.exe	117
PID 3768 wrote to memory of 96	3768	DllCommonsvc.exe	117
PID 3768 wrote to memory of 216	3768	DllCommonsvc.exe	107
PID 3768 wrote to memory of 216	3768	DllCommonsvc.exe	107
PID 3768 wrote to memory of 2296	3768	DllCommonsvc.exe	108
PID 3768 wrote to memory of 2296	3768	DllCommonsvc.exe	108
PID 3768 wrote to memory of 2220	3768	DllCommonsvc.exe	115
PID 3768 wrote to memory of 2220	3768	DllCommonsvc.exe	115
PID 3768 wrote to memory of 632	3768	DllCommonsvc.exe	110
PID 3768 wrote to memory of 632	3768	DllCommonsvc.exe	110
PID 3768 wrote to memory of 1020	3768	DllCommonsvc.exe	111
PID 3768 wrote to memory of 1020	3768	DllCommonsvc.exe	111
PID 3768 wrote to memory of 1632	3768	DllCommonsvc.exe	118
PID 3768 wrote to memory of 1632	3768	DllCommonsvc.exe	118
PID 3768 wrote to memory of 2068	3768	DllCommonsvc.exe	121
PID 3768 wrote to memory of 2068	3768	DllCommonsvc.exe	121
PID 3768 wrote to memory of 1460	3768	DllCommonsvc.exe	123
PID 3768 wrote to memory of 1460	3768	DllCommonsvc.exe	123
PID 1460 wrote to memory of 2804	1460	cmd.exe	125
PID 1460 wrote to memory of 2804	1460	cmd.exe	125
PID 1460 wrote to memory of 4848	1460	cmd.exe	127
PID 1460 wrote to memory of 4848	1460	cmd.exe	127
PID 4848 wrote to memory of 2780	4848	wininit.exe	128
PID 4848 wrote to memory of 2780	4848	wininit.exe	128
PID 2780 wrote to memory of 2796	2780	cmd.exe	130
PID 2780 wrote to memory of 2796	2780	cmd.exe	130
PID 2780 wrote to memory of 4704	2780	cmd.exe	131
PID 2780 wrote to memory of 4704	2780	cmd.exe	131
PID 4704 wrote to memory of 4148	4704	wininit.exe	132
PID 4704 wrote to memory of 4148	4704	wininit.exe	132
PID 4148 wrote to memory of 3604	4148	cmd.exe	134
PID 4148 wrote to memory of 3604	4148	cmd.exe	134
PID 4148 wrote to memory of 4540	4148	cmd.exe	135
PID 4148 wrote to memory of 4540	4148	cmd.exe	135
PID 4540 wrote to memory of 5004	4540	wininit.exe	136
PID 4540 wrote to memory of 5004	4540	wininit.exe	136
PID 5004 wrote to memory of 3152	5004	cmd.exe	138
PID 5004 wrote to memory of 3152	5004	cmd.exe	138
PID 5004 wrote to memory of 4560	5004	cmd.exe	139
PID 5004 wrote to memory of 4560	5004	cmd.exe	139
PID 4560 wrote to memory of 4808	4560	wininit.exe	140
PID 4560 wrote to memory of 4808	4560	wininit.exe	140
PID 4808 wrote to memory of 2692	4808	cmd.exe	142
PID 4808 wrote to memory of 2692	4808	cmd.exe	142
PID 4808 wrote to memory of 1872	4808	cmd.exe	143
PID 4808 wrote to memory of 1872	4808	cmd.exe	143
PID 1872 wrote to memory of 2696	1872	wininit.exe	144
PID 1872 wrote to memory of 2696	1872	wininit.exe	144
PID 2696 wrote to memory of 4720	2696	cmd.exe	146
PID 2696 wrote to memory of 4720	2696	cmd.exe	146

C:\Users\Admin\AppData\Local\Temp\acdbc769b489332e21c774410ee663bcb1290453b619397f698416ef6d9d12bf.exe
"C:\Users\Admin\AppData\Local\Temp\acdbc769b489332e21c774410ee663bcb1290453b619397f698416ef6d9d12bf.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ImmersiveControlPanel\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:96
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pPJcA7KtiR.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2804
      - C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2796
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3604
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3152
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2692
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4720
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat"
        17⤵
        
        PID:5104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1632
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"
        19⤵
        
        PID:5024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4324
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat"
        21⤵
        
        PID:4340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1404
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        22⤵
        Executes dropped EXE
        
        PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\ImmersiveControlPanel\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\ImmersiveControlPanel\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
55cb81b5eeaa06c2277b47fed04fba03

SHA1
56fd6608597d288dd5881eb5265598fe2bb9e377

SHA256
46c73204d2002678591c0fa612a68301308729ebb25071afcefb4f734c69f9a2

SHA512
abbedde1572da8e231a77d4eddf3e2fce5f9731a25ceaf6cdf83186b90f49844411f025cc381cc2b0b54aa9199d9fdf6a9567c3de25703d6f0e0b7fe0d2d5340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2355b6dd4ff1782eac9f2a2677d8c3e5

SHA1
95d39b4bf043c4938abfcb950ec5d3ad535a448e

SHA256
17eaf4b7d29c36714b4672ed4ad91a235a2648bbfe469bf81be7242803863828

SHA512
c069a77e2db163c11415bacda12d3ddaaf24a3e00c95662ebb48a6287e7206d1a157e2a0181d052ffc95ee421dd797321da1a156bda0618775446e118dcfdda5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
93f9fe58db158d0347ef8103f080ae8c

SHA1
364ae93f1d3d2633221d57ee17c266a491039b58

SHA256
ffcc32927f578186ca1899b29fae57acf292efe41817ec43db74b474c9249bc1

SHA512
2aa2d418893c51e37022de16f58144e09721e04b1229891dd4df3e48f679e32d1bc08e3f5ac972b4d0e172a2ee896068bab003c27d62d76cf416aa2e8542816f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3afb35eac65590018a218b5bf7be753

SHA1
ac43475bc5b081e905a59baaab3c2611f29eec78

SHA256
3ae4c1b313ed2d74d5d0814d64d4accf94d66237f01df0d71380c114e3cd88fd

SHA512
07fc235740b68cf88428dd0531323c0938fdfd57cdf41e7826ab34bdb2714c5375df1279f10c23357d2dbb7a60070f9f79a234f06209eaa9fda92aa49d6bc9de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fbdf69e295c3ab2a838ebf8b00b63824

SHA1
41ca4a1b9178f7d33fc036494eb17f7f71aae82d

SHA256
d81ea994386e8e288fd7e7ceda841c01d0d40fbead1464794079285cba3ad5d3

SHA512
160ef51bc128b906fc0d0d8483807144307e9d4545caeff85f1fb197e323962c599ccec10bfb8e75609461470b2fa58da6d359ea51b19eb1e2e5e2a03239934d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a34f45cecbb0a1d4dc6446f0b73f833d

SHA1
7442dc814c86c30214584ce49311fb44bccb1c43

SHA256
4d4d68a0f7b5ba14758d5c67ff1d3bcdd339ac3d359bae6afa0d71d9f90a609c

SHA512
650b19c55190e236d87463de09841ce028af4440bebcef9efdb6e43a01fa3b73d3d8b909f4889846401e5aab7ed9ac2e9be5aad338d759ccb812005b90cbd19c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
40fe8278bafd63d52939d1da1c1da2c7

SHA1
9343b71aea711d719af5741aee08f27723fef161

SHA256
2dace57d0bdc4f3cc1580b30b4ded7b158c3ccb38ddce0b4202c0fe71848a4e9

SHA512
54066674170bce0e0aa4fbfd5d3831eb388e8353db414c5965cefeb88c1e81034bf1d3a65d3299a6fed5c083d3ef63a4802cc24e5f1eb8e657123ba1d8e83998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a34f45cecbb0a1d4dc6446f0b73f833d

SHA1
7442dc814c86c30214584ce49311fb44bccb1c43

SHA256
4d4d68a0f7b5ba14758d5c67ff1d3bcdd339ac3d359bae6afa0d71d9f90a609c

SHA512
650b19c55190e236d87463de09841ce028af4440bebcef9efdb6e43a01fa3b73d3d8b909f4889846401e5aab7ed9ac2e9be5aad338d759ccb812005b90cbd19c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a1e6b45bba374b6817bfd93a01942325

SHA1
9bfddc9cc124189f8daf9ca369a46b4e58fff8f0

SHA256
4daa080532650b8085916302c1af57256c8142a8f79c88dae616e4ebcd1dd973

SHA512
800c1c7cc1979d8b317bcf803f28d6a25c7ebb753d8f0f7c3b8cd09e95e0e2317f0edb76edee020cb84e686fcbc1879f457f04858fba766aa123796a2f8d1e99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a1e6b45bba374b6817bfd93a01942325

SHA1
9bfddc9cc124189f8daf9ca369a46b4e58fff8f0

SHA256
4daa080532650b8085916302c1af57256c8142a8f79c88dae616e4ebcd1dd973

SHA512
800c1c7cc1979d8b317bcf803f28d6a25c7ebb753d8f0f7c3b8cd09e95e0e2317f0edb76edee020cb84e686fcbc1879f457f04858fba766aa123796a2f8d1e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat

Filesize
198B

MD5
eb63956a3d37f003535edb3efaa0f4c2

SHA1
71a4a7948dcbc0493f917fa0f84a757c6108c4f1

SHA256
d990cec3112b0bb45207f458ad9c859d7aa2141b4475ff6b2de66cdf0e68887d

SHA512
0d939457886f89d9425ea3f0e733fd4a84f4d691ee264081f6b34766fed2bdedeea864d4079697bbae7f78d89b6813fc89b762c87d129ea180a99b76b189998f

Download Submit
C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat

Filesize
198B

MD5
e9db06abd45d0f74e0c1acbbe5432feb

SHA1
c6ae9b4d68ce7c2a51dc2c2515a6298b648e5f6e

SHA256
09b2d503567787e35e61a523b20ac3d933223a210099b0882c8a37ff6241dbac

SHA512
ffb345a7adcf069567dc2e6641f00505492a38519a7a12346632f26519435be73755fe6fd97badb9efee6655b28ea7401688aacff0774c0c9bee4dcfc24b97fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat

Filesize
198B

MD5
7cc2c03fb93ef07e1b77f2d033ee91c6

SHA1
d06c8a0f30a2a2a1e54498cae6229e6cef73824a

SHA256
bea28ce31afe6818768c8bf120502f9d77ff4c11849b6bcdcf600f65ec099d00

SHA512
8a3e77da313c78c06e03024bf5c8b5a39c98aa27ee61971cc4f8d8fcd1a571c5caba086caf55996db0ce2a3f86e356440517a7c1ae261dc0b0a38f71a2f712dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat

Filesize
198B

MD5
14d18f844eec75f2c7cc8d2640f1d5c3

SHA1
62d4409e10f555f4137f4fd4312009b30e0943cf

SHA256
dc70679df0b29140b4f7accf640d33f1a3ab87635e01b136e3db9ca4f572c3a1

SHA512
92a5d1dbc30a44a32a47bc611afb97b5488bb7b7d345892f069aba2b6adddb16bb9952462d9bed0c5183af74007e66fe728a864a236d1e73fa82050a6e14b0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat

Filesize
198B

MD5
c62b3c6584335e7deec301d366496a50

SHA1
330668ec5635a26e5d2772ff564b892a4febbf89

SHA256
30c14e38c8759d7709afd28c7910601ca31ce120fc02df38b0da4e9003a2fcc0

SHA512
f69ae875273d444c19eb510df80904abe7385f1753a7e82b0eb36565df7f9240f9b29535ef8b39ce1a98e38d9fabd1f8815e3833965e3625f71adf67b726c1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat

Filesize
198B

MD5
4425f2eb16dff0928c7bcbeb47cc2408

SHA1
6229ceb698f52652ef7a6f00247d7d47a3a88a77

SHA256
ca0d742c1016b24845699f62272bd08a656ba5aae54710d3526a3c1aebff8f96

SHA512
6eb36e7b5a3f065d1bf7181bb624b1489454b7eab95edd498eb3b4e59764ff617a265e81bbc777336671b6fb6751eb1766eaf3017839ef3279b57ceffad9ec29

Download Submit
C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat

Filesize
198B

MD5
1e1d01800ae8b14827c831f918395165

SHA1
5f3eee7a8f36ca23824ea890a1ad804843b06bb8

SHA256
b5f6688062365e2ad821837f898594a5a82ff15d38346073b60ff1babb69c737

SHA512
3943d56e87605b5dbd151a4f017bcf7bf8a238b6bd94b2df8d0423348aa9674bd23ee8634399ae5a1802477ee5ada5240bb98f469570bef850f5e192b98c3178

Download Submit
C:\Users\Admin\AppData\Local\Temp\pPJcA7KtiR.bat

Filesize
198B

MD5
afa8b62d400f7536359f195a5568247b

SHA1
a3d5a2054e4a1a6133980a4a9be2a2378c149817

SHA256
872293974ad56f0d3635865ee947cc2c2c04a0a6abaabf1a4cedb081208d0e3f

SHA512
df4235f671b57ac43b8dcc8b870e979233cd1961511249d63d40288b71b18babdb5197463577eefc707338fef00c15bbcee2ae6b291d65a82a8f725c4a5cfaa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat

Filesize
198B

MD5
cd1a8ea7e5de2cf4f5c9d6d899910249

SHA1
a1b3f980b37d05ec752d0d9dd096732f83dbd86a

SHA256
e9dfc7446245ba91cd40e39d61cc9cbd8fc78c47233d742ca8e0f49ae90e82ed

SHA512
355e662f53435f390910c1d192d008c395ed723e42ec5e0ace2fb0252e674e134c3554c2790dfbabe5916c162f739fa2dc2093df65b6424c261793582953f0f7

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1872-708-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download
memory/2068-350-0x000001A3E7590000-0x000001A3E7606000-memory.dmp

Filesize
472KB

Download
memory/2180-159-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-160-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-171-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-173-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-172-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-174-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-175-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-176-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-177-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-178-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-179-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-180-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-181-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-182-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-183-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-136-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-137-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-134-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-169-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-168-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-121-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-167-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-138-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-166-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-122-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-123-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-170-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-125-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-135-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-139-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-126-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-132-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-165-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-164-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-140-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-163-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-162-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-128-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-161-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-133-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-120-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-141-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-158-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-157-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-131-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-129-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-156-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-155-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-130-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-154-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-153-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-152-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-151-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-150-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-149-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-148-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-147-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-146-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-145-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-144-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-142-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-143-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/3740-186-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/3740-185-0x00000000776E0000-0x000000007786E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-288-0x0000000002CD0000-0x0000000002CDC000-memory.dmp

Filesize
48KB

Download
memory/3768-287-0x00000000013D0000-0x00000000013E2000-memory.dmp

Filesize
72KB

Download
memory/3768-290-0x0000000002C90000-0x0000000002C9C000-memory.dmp

Filesize
48KB

Download
memory/3768-289-0x0000000002D00000-0x0000000002D0C000-memory.dmp

Filesize
48KB

Download
memory/3768-286-0x0000000000A70000-0x0000000000B80000-memory.dmp

Filesize
1.1MB

Download
memory/4560-702-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/4704-691-0x000000001B140000-0x000000001B152000-memory.dmp

Filesize
72KB

Download
memory/4808-347-0x0000017B4FDB0000-0x0000017B4FDD2000-memory.dmp

Filesize
136KB

Download
memory/4848-637-0x00000000008A0000-0x00000000008B2000-memory.dmp

Filesize
72KB

Download