dcrat | 75c5f6515c4bbdf88e69a93b1ae54f466d5fccd05c14a9e5ad98604c55b2a02f

Analysis

max time kernel
149s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
31/10/2022, 21:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

75c5f6515c4bbdf88e69a93b1ae54f466d5fccd05c14a9e5ad98604c55b2a02f.exe
Size

1.3MB
MD5

ea909b7f92ddb3aa9752c4800b89df3b
SHA1

a6a552957d2562250b520837df8b807b51f1960b
SHA256

75c5f6515c4bbdf88e69a93b1ae54f466d5fccd05c14a9e5ad98604c55b2a02f
SHA512

c4cf944390ab1c9027d1a3eb6c78342363223f03987ef99138787228e9c051610feb1bf5a630a1ae79c42954c4bac4f39c2bf3d5513cc9ccf5b3a72af3707136
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	504	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	3128	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	3128	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001ac55-281.dat	dcrat
behavioral1/files/0x000600000001ac55-280.dat	dcrat
behavioral1/memory/3696-282-0x0000000000A30000-0x0000000000B40000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac5e-318.dat	dcrat
behavioral1/files/0x000600000001ac5e-317.dat	dcrat
behavioral1/files/0x000600000001ac5e-666.dat	dcrat
behavioral1/files/0x000600000001ac5e-673.dat	dcrat
behavioral1/files/0x000600000001ac5e-678.dat	dcrat
behavioral1/files/0x000600000001ac5e-683.dat	dcrat
behavioral1/files/0x000600000001ac5e-688.dat	dcrat
behavioral1/files/0x000600000001ac5e-693.dat	dcrat
behavioral1/files/0x000600000001ac5e-698.dat	dcrat
behavioral1/files/0x000600000001ac5e-704.dat	dcrat
behavioral1/files/0x000600000001ac5e-709.dat	dcrat
behavioral1/files/0x000600000001ac5e-714.dat	dcrat
behavioral1/files/0x000600000001ac5e-720.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
3696	DllCommonsvc.exe
2848	wininit.exe
4656	wininit.exe
3412	wininit.exe
2120	wininit.exe
904	wininit.exe
5104	wininit.exe
1360	wininit.exe
4452	wininit.exe
1548	wininit.exe
3436	wininit.exe
4408	wininit.exe
3832	wininit.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office16\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office16\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\088424020bedd6	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\MiracastView\Assets\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\MiracastView\Assets\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3296	schtasks.exe
4476	schtasks.exe
4240	schtasks.exe
3956	schtasks.exe
4420	schtasks.exe
4368	schtasks.exe
4504	schtasks.exe
4652	schtasks.exe
5080	schtasks.exe
4648	schtasks.exe
4344	schtasks.exe
4980	schtasks.exe
1032	schtasks.exe
504	schtasks.exe
4160	schtasks.exe
4328	schtasks.exe
1732	schtasks.exe
4696	schtasks.exe
4580	schtasks.exe
4448	schtasks.exe
372	schtasks.exe
4520	schtasks.exe
5064	schtasks.exe
4656	schtasks.exe
3340	schtasks.exe
528	schtasks.exe
4692	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	75c5f6515c4bbdf88e69a93b1ae54f466d5fccd05c14a9e5ad98604c55b2a02f.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
416	powershell.exe
416	powershell.exe
1464	powershell.exe
1464	powershell.exe
396	powershell.exe
396	powershell.exe
3260	powershell.exe
3260	powershell.exe
188	powershell.exe
188	powershell.exe
1668	powershell.exe
1668	powershell.exe
3396	powershell.exe
3396	powershell.exe
208	powershell.exe
208	powershell.exe
760	powershell.exe
760	powershell.exe
2528	powershell.exe
2528	powershell.exe
188	powershell.exe
3260	powershell.exe
760	powershell.exe
208	powershell.exe
2848	wininit.exe
2848	wininit.exe
416	powershell.exe
1464	powershell.exe
188	powershell.exe
1668	powershell.exe
396	powershell.exe
2528	powershell.exe
3396	powershell.exe
760	powershell.exe
3260	powershell.exe
208	powershell.exe
1668	powershell.exe
416	powershell.exe
396	powershell.exe
1464	powershell.exe
2528	powershell.exe
3396	powershell.exe
4656	wininit.exe
3412	wininit.exe
2120	wininit.exe
904	wininit.exe
5104	wininit.exe
1360	wininit.exe
4452	wininit.exe
1548	wininit.exe
3436	wininit.exe
4408	wininit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3696	DllCommonsvc.exe
Token: SeDebugPrivilege	416	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	2848	wininit.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	188	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeIncreaseQuotaPrivilege	188	powershell.exe
Token: SeSecurityPrivilege	188	powershell.exe
Token: SeTakeOwnershipPrivilege	188	powershell.exe
Token: SeLoadDriverPrivilege	188	powershell.exe
Token: SeSystemProfilePrivilege	188	powershell.exe
Token: SeSystemtimePrivilege	188	powershell.exe
Token: SeProfSingleProcessPrivilege	188	powershell.exe
Token: SeIncBasePriorityPrivilege	188	powershell.exe
Token: SeCreatePagefilePrivilege	188	powershell.exe
Token: SeBackupPrivilege	188	powershell.exe
Token: SeRestorePrivilege	188	powershell.exe
Token: SeShutdownPrivilege	188	powershell.exe
Token: SeDebugPrivilege	188	powershell.exe
Token: SeSystemEnvironmentPrivilege	188	powershell.exe
Token: SeRemoteShutdownPrivilege	188	powershell.exe
Token: SeUndockPrivilege	188	powershell.exe
Token: SeManageVolumePrivilege	188	powershell.exe
Token: 33	188	powershell.exe
Token: 34	188	powershell.exe
Token: 35	188	powershell.exe
Token: 36	188	powershell.exe
Token: SeIncreaseQuotaPrivilege	760	powershell.exe
Token: SeSecurityPrivilege	760	powershell.exe
Token: SeTakeOwnershipPrivilege	760	powershell.exe
Token: SeLoadDriverPrivilege	760	powershell.exe
Token: SeSystemProfilePrivilege	760	powershell.exe
Token: SeSystemtimePrivilege	760	powershell.exe
Token: SeProfSingleProcessPrivilege	760	powershell.exe
Token: SeIncBasePriorityPrivilege	760	powershell.exe
Token: SeCreatePagefilePrivilege	760	powershell.exe
Token: SeBackupPrivilege	760	powershell.exe
Token: SeRestorePrivilege	760	powershell.exe
Token: SeShutdownPrivilege	760	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeSystemEnvironmentPrivilege	760	powershell.exe
Token: SeRemoteShutdownPrivilege	760	powershell.exe
Token: SeUndockPrivilege	760	powershell.exe
Token: SeManageVolumePrivilege	760	powershell.exe
Token: 33	760	powershell.exe
Token: 34	760	powershell.exe
Token: 35	760	powershell.exe
Token: 36	760	powershell.exe
Token: SeIncreaseQuotaPrivilege	3260	powershell.exe
Token: SeSecurityPrivilege	3260	powershell.exe
Token: SeTakeOwnershipPrivilege	3260	powershell.exe
Token: SeLoadDriverPrivilege	3260	powershell.exe
Token: SeSystemProfilePrivilege	3260	powershell.exe
Token: SeSystemtimePrivilege	3260	powershell.exe
Token: SeProfSingleProcessPrivilege	3260	powershell.exe
Token: SeIncBasePriorityPrivilege	3260	powershell.exe
Token: SeCreatePagefilePrivilege	3260	powershell.exe
Token: SeBackupPrivilege	3260	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 4816	2404	75c5f6515c4bbdf88e69a93b1ae54f466d5fccd05c14a9e5ad98604c55b2a02f.exe	66
PID 2404 wrote to memory of 4816	2404	75c5f6515c4bbdf88e69a93b1ae54f466d5fccd05c14a9e5ad98604c55b2a02f.exe	66
PID 2404 wrote to memory of 4816	2404	75c5f6515c4bbdf88e69a93b1ae54f466d5fccd05c14a9e5ad98604c55b2a02f.exe	66
PID 4816 wrote to memory of 5092	4816	WScript.exe	67
PID 4816 wrote to memory of 5092	4816	WScript.exe	67
PID 4816 wrote to memory of 5092	4816	WScript.exe	67
PID 5092 wrote to memory of 3696	5092	cmd.exe	69
PID 5092 wrote to memory of 3696	5092	cmd.exe	69
PID 3696 wrote to memory of 1464	3696	DllCommonsvc.exe	95
PID 3696 wrote to memory of 1464	3696	DllCommonsvc.exe	95
PID 3696 wrote to memory of 416	3696	DllCommonsvc.exe	115
PID 3696 wrote to memory of 416	3696	DllCommonsvc.exe	115
PID 3696 wrote to memory of 396	3696	DllCommonsvc.exe	113
PID 3696 wrote to memory of 396	3696	DllCommonsvc.exe	113
PID 3696 wrote to memory of 1668	3696	DllCommonsvc.exe	111
PID 3696 wrote to memory of 1668	3696	DllCommonsvc.exe	111
PID 3696 wrote to memory of 3260	3696	DllCommonsvc.exe	109
PID 3696 wrote to memory of 3260	3696	DllCommonsvc.exe	109
PID 3696 wrote to memory of 188	3696	DllCommonsvc.exe	107
PID 3696 wrote to memory of 188	3696	DllCommonsvc.exe	107
PID 3696 wrote to memory of 3396	3696	DllCommonsvc.exe	96
PID 3696 wrote to memory of 3396	3696	DllCommonsvc.exe	96
PID 3696 wrote to memory of 208	3696	DllCommonsvc.exe	104
PID 3696 wrote to memory of 208	3696	DllCommonsvc.exe	104
PID 3696 wrote to memory of 2528	3696	DllCommonsvc.exe	102
PID 3696 wrote to memory of 2528	3696	DllCommonsvc.exe	102
PID 3696 wrote to memory of 760	3696	DllCommonsvc.exe	100
PID 3696 wrote to memory of 760	3696	DllCommonsvc.exe	100
PID 3696 wrote to memory of 2848	3696	DllCommonsvc.exe	99
PID 3696 wrote to memory of 2848	3696	DllCommonsvc.exe	99
PID 2848 wrote to memory of 1484	2848	wininit.exe	122
PID 2848 wrote to memory of 1484	2848	wininit.exe	122
PID 1484 wrote to memory of 4332	1484	cmd.exe	121
PID 1484 wrote to memory of 4332	1484	cmd.exe	121
PID 1484 wrote to memory of 4656	1484	cmd.exe	123
PID 1484 wrote to memory of 4656	1484	cmd.exe	123
PID 4656 wrote to memory of 496	4656	wininit.exe	126
PID 4656 wrote to memory of 496	4656	wininit.exe	126
PID 496 wrote to memory of 4580	496	cmd.exe	124
PID 496 wrote to memory of 4580	496	cmd.exe	124
PID 496 wrote to memory of 3412	496	cmd.exe	127
PID 496 wrote to memory of 3412	496	cmd.exe	127
PID 3412 wrote to memory of 4528	3412	wininit.exe	128
PID 3412 wrote to memory of 4528	3412	wininit.exe	128
PID 4528 wrote to memory of 3252	4528	cmd.exe	130
PID 4528 wrote to memory of 3252	4528	cmd.exe	130
PID 4528 wrote to memory of 2120	4528	cmd.exe	131
PID 4528 wrote to memory of 2120	4528	cmd.exe	131
PID 2120 wrote to memory of 2740	2120	wininit.exe	134
PID 2120 wrote to memory of 2740	2120	wininit.exe	134
PID 2740 wrote to memory of 3480	2740	cmd.exe	133
PID 2740 wrote to memory of 3480	2740	cmd.exe	133
PID 2740 wrote to memory of 904	2740	cmd.exe	135
PID 2740 wrote to memory of 904	2740	cmd.exe	135
PID 904 wrote to memory of 3636	904	wininit.exe	136
PID 904 wrote to memory of 3636	904	wininit.exe	136
PID 3636 wrote to memory of 204	3636	cmd.exe	138
PID 3636 wrote to memory of 204	3636	cmd.exe	138
PID 3636 wrote to memory of 5104	3636	cmd.exe	139
PID 3636 wrote to memory of 5104	3636	cmd.exe	139
PID 5104 wrote to memory of 188	5104	wininit.exe	140
PID 5104 wrote to memory of 188	5104	wininit.exe	140
PID 188 wrote to memory of 4296	188	cmd.exe	142
PID 188 wrote to memory of 4296	188	cmd.exe	142

C:\Users\Admin\AppData\Local\Temp\75c5f6515c4bbdf88e69a93b1ae54f466d5fccd05c14a9e5ad98604c55b2a02f.exe
"C:\Users\Admin\AppData\Local\Temp\75c5f6515c4bbdf88e69a93b1ae54f466d5fccd05c14a9e5ad98604c55b2a02f.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Media Renderer\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3396
    - - C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3252
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:204
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4296
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat"
        18⤵
        
        PID:3116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3068
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat"
        20⤵
        
        PID:2024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4772
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"
        22⤵
        
        PID:3952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3696
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat"
        24⤵
        
        PID:2588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2860
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"
        26⤵
        
        PID:1888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:5056
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        27⤵
        Executes dropped EXE
        
        PID:3832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.71\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\MiracastView\Assets\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\MiracastView\Assets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\MiracastView\Assets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office16\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office16\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\MiracastView\Assets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4332

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4580

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
28693e53a11d4cc0bea32e128faa6fbf

SHA1
3d96d490c2936077256b4a583d3b43eb264f0642

SHA256
9b8cb2138966b70b26605dada9fcd23147ec06ab6fccb99b10804831e1a7559e

SHA512
bbfb54dacd6ead4b9f39d7bed1c7e50bbd6c7bbf52fd97a19e4ad9d5aa3111fe0274b704662c0fde72867ef4f0713128ebddaee5210b30d28d07977b7b9b69a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1d2ecb566518b49c850bd1090f6ae9eb

SHA1
624e9abaecf090d916752fe801335d7aa2bd005d

SHA256
d19a231459a9b28692499346bc1c39ae893bf26ce3c98df11961a8add7c4cd8e

SHA512
af25bfd059c95b21d5959b995f8a8d48c5363b216b1b8a03e09a7e6b3c42d2e94c4b172608df6da5574b66c35b5ab169d76492d169007a1840246b29eb7e82a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3589899deac402f9f6fa98f3e48b0bca

SHA1
913a1afe405ba6971b4392c6bafc2b2cad9f1bf0

SHA256
e3b4e6b97500f161a46dcb22522fa43805266e500e7caf1d10671f8127bac3e4

SHA512
97bbd58698611abcdf39efc3eb2107584c5ab51e355758987ab9cbfe7ed9c5b1059f0f72821fc80df77ad4d3ffa68f3fd03ed1877118282a204b2cb0fb7719d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c04f9cb47ec6ebc5c5e97d0078bad528

SHA1
5e481361130ae61de8c98e942feba2c53f901f31

SHA256
1ca67390a5b52d178c7646de9812075d9369eaafdd2fc97e8fcee1ad95391814

SHA512
403e973b34391a2dc0a1907e81758a7dc31e02a25c8fd509ed906edd93261899415eda5a1960791fe92a93e355331d3f1eca5841ebfa04bd578e85ebcb8041cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c04f9cb47ec6ebc5c5e97d0078bad528

SHA1
5e481361130ae61de8c98e942feba2c53f901f31

SHA256
1ca67390a5b52d178c7646de9812075d9369eaafdd2fc97e8fcee1ad95391814

SHA512
403e973b34391a2dc0a1907e81758a7dc31e02a25c8fd509ed906edd93261899415eda5a1960791fe92a93e355331d3f1eca5841ebfa04bd578e85ebcb8041cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
638af4f170397fadefa189112a3742c4

SHA1
5507cb680f11d71db9f94791dea2946198e87e8c

SHA256
c5bb18f205ea5ad88f1a73228a53e159706302a5fe6e744523d3608c89e88141

SHA512
956b7bfb5a9479e554a343f26047b2cdf9cfffe0f1e5eb7413fb798b80ef4e48e3c3626c4a670ed575919d544792e8473791d8d275b55a32011d7ef4f047dda5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
638af4f170397fadefa189112a3742c4

SHA1
5507cb680f11d71db9f94791dea2946198e87e8c

SHA256
c5bb18f205ea5ad88f1a73228a53e159706302a5fe6e744523d3608c89e88141

SHA512
956b7bfb5a9479e554a343f26047b2cdf9cfffe0f1e5eb7413fb798b80ef4e48e3c3626c4a670ed575919d544792e8473791d8d275b55a32011d7ef4f047dda5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
388793c61a8da78be078b3ea100f7106

SHA1
6190538a19e0da36968092c31310f19fb35e47b2

SHA256
7e806dba70d1aebe78da94be255857224c8d0c4e8c93dc665e18ff1afc02b8b7

SHA512
80b446920ada15b2ccea9e7694c645bf23210f235aac09edba016c7f0fbdc6cfac288fcc8814aed07d33d0286871fbcfbbf6b0a40dd11a504651f823b852a4b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
388793c61a8da78be078b3ea100f7106

SHA1
6190538a19e0da36968092c31310f19fb35e47b2

SHA256
7e806dba70d1aebe78da94be255857224c8d0c4e8c93dc665e18ff1afc02b8b7

SHA512
80b446920ada15b2ccea9e7694c645bf23210f235aac09edba016c7f0fbdc6cfac288fcc8814aed07d33d0286871fbcfbbf6b0a40dd11a504651f823b852a4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat

Filesize
194B

MD5
575b71e34ffa0a39bf9612f3a92784a7

SHA1
cac33148fbf0aa5d8edc2d4c52511bd3f4e9184c

SHA256
95b1d6de06d1ef981594ab11f3a0ff83e91ec24335c84ff1642f7f9d1a6ed689

SHA512
dc2b92e8228f774867e8a450bda685e7d779607e8d8afbc871a8e412b19d9bc959e83a583c2406fbea22d44df51532758dce3d5855be5f7a6c19ce242e7f6432

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat

Filesize
194B

MD5
a5de425173624314b63733fc269e2e7b

SHA1
36d5ab24dd11820d5e1537c393f0fc0f14386d90

SHA256
992173a6332ab5b31f13be7ca8bebcd31ceb91680e227aa5ea122df2ba901390

SHA512
791327fcd6b3a446060d0130674971849e1a7cf13b9cc8ed7b33bba634c862ff193a8bfc9a8fd518597ca49d42a71f4fa023e5d8fa45ebd2f3dbdced3b335379

Download Submit
C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat

Filesize
194B

MD5
e3887e020686915ed4b3b95c3f2ca83f

SHA1
8fcb20aa89231efd0da0a8d0a256b858f3a54746

SHA256
d2bb1a6bf5255172f28fa2ae433ca893517c69d101b7f7b99ca0f1da413da500

SHA512
db136794994d251ecb0318adc4cbe97be35170b123856cb247bf840766549eaaab53c3e93af256ca2fd25eb34415a1421ced589fff6ae0d5b832cd5499a34b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat

Filesize
194B

MD5
4f4fd524512fbd6dfd18f6860a34c28e

SHA1
55a86cbb1321e01499696e0c2b68d361dcfb01d2

SHA256
5a1f8f8e21ba4e50d0824ccc5f90f1bec3f183ea77401575dc64a46614ec6bf7

SHA512
5a7df281497850595cfd1aa8a0e3890950de1e5a2b21cc3b8b79aa43a3c1ddc898ea96773c016c29522931ad961de4d5a51f1942a0b912a6a8319928926195ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat

Filesize
194B

MD5
2a5e855f20fb604a0bc644d139df1685

SHA1
08737a4deda12ece088c73cfda7e4cf60dca7885

SHA256
ad64ec9d88578505c5fce0eefb876416955ec774821449151939164f383c59ae

SHA512
b58fc9ae6aedb63128070817bc3c81999e2616c1bcda31674cff4892c437aaabf357fff0b24ae967e0a580b2e859d884c9b53a8c430f8f80521260ddd196d72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat

Filesize
194B

MD5
51858ff9b7149dc4dcbad2995e18f6ec

SHA1
74dd54e17c373ca0f4b654ef11302aae2fc389a6

SHA256
8de1b21913f99b217ab09a1d7cfec0a27f5e96226ead64dbc97164be1a0d2d58

SHA512
45c233d23fbbd13e98be5270b27335598af86c469fdcbb48a797f42b55665357f4ca315d1d199c7f9ab37046f981afdd3a9bee4340dee71aa87b76944dfe5421

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat

Filesize
194B

MD5
51858ff9b7149dc4dcbad2995e18f6ec

SHA1
74dd54e17c373ca0f4b654ef11302aae2fc389a6

SHA256
8de1b21913f99b217ab09a1d7cfec0a27f5e96226ead64dbc97164be1a0d2d58

SHA512
45c233d23fbbd13e98be5270b27335598af86c469fdcbb48a797f42b55665357f4ca315d1d199c7f9ab37046f981afdd3a9bee4340dee71aa87b76944dfe5421

Download Submit
C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat

Filesize
194B

MD5
58c1935d7dd22143d2e311b141c58a4d

SHA1
298ddbda39f89e11fb9c05549d91fcaed47ebc5e

SHA256
7691512c38991349bf0dd52068e2b7cc0708d2794e78cd37c9b0131f3d5a0cb1

SHA512
144f2226a17fe7d78193453542d4742dbfcded9122deb765213fae61865e827f76752a2570b929384a924b2a30ee58e0ab6b5354eebfe358b145b79230db84cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat

Filesize
194B

MD5
58c1935d7dd22143d2e311b141c58a4d

SHA1
298ddbda39f89e11fb9c05549d91fcaed47ebc5e

SHA256
7691512c38991349bf0dd52068e2b7cc0708d2794e78cd37c9b0131f3d5a0cb1

SHA512
144f2226a17fe7d78193453542d4742dbfcded9122deb765213fae61865e827f76752a2570b929384a924b2a30ee58e0ab6b5354eebfe358b145b79230db84cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

Filesize
194B

MD5
dfbd77710a9b1826af48462d19c178d2

SHA1
6ebc2c99f2db0ab8a5df9ee1c21685942590577d

SHA256
ec53305e156e73c42e348e598cc1b8176c5e4559d5f1e51de8c814960079ccfa

SHA512
0469f245b46e6d330a26e3e3c7ea40b0c7e1dd322bee6a46912703b903d34f5e4daf388b2c8538e4e64780ec9169688d0702e95c9df5730aba5cb74d42ce49ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

Filesize
194B

MD5
dfbd77710a9b1826af48462d19c178d2

SHA1
6ebc2c99f2db0ab8a5df9ee1c21685942590577d

SHA256
ec53305e156e73c42e348e598cc1b8176c5e4559d5f1e51de8c814960079ccfa

SHA512
0469f245b46e6d330a26e3e3c7ea40b0c7e1dd322bee6a46912703b903d34f5e4daf388b2c8538e4e64780ec9169688d0702e95c9df5730aba5cb74d42ce49ad

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\wininit.exe

Filesize
661KB

MD5
4b407ca2224298636677d304a84a2c3f

SHA1
8dbfaa322a5c189251f88efc7cde60c14a72e14d

SHA256
f36037ea653afd93cc6e350c540c21c71c6916b67515653b46bd4cbf27cf7549

SHA512
619ef88cd4a399224ccda9803802d163f23bd49388a5219d7d373bc87e21ecc6b57a5e54c87056159f7c1ad1962b275db7a9757814dad80b5d5446fd91c113a1

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/188-357-0x000001FED25E0000-0x000001FED2656000-memory.dmp

Filesize
472KB

Download
memory/1464-347-0x00000227FD620000-0x00000227FD642000-memory.dmp

Filesize
136KB

Download
memory/2404-161-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-144-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-163-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-162-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-175-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-179-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-178-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-164-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-160-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-159-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-158-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-157-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-156-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-117-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-155-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-154-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-153-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-176-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-174-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-152-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-151-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-150-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-173-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-165-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-149-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-172-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-148-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-147-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-146-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-145-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-171-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-177-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-143-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-166-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-142-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-141-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-140-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-139-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-138-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-137-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-136-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-135-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-134-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-133-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-167-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-132-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-170-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-131-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-130-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-129-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-128-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-127-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-126-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-169-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-125-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-124-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-122-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-121-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-119-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-118-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-168-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-116-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2848-341-0x0000000001210000-0x0000000001222000-memory.dmp

Filesize
72KB

Download
memory/3696-282-0x0000000000A30000-0x0000000000B40000-memory.dmp

Filesize
1.1MB

Download
memory/3696-285-0x000000001C6B0000-0x000000001C6BC000-memory.dmp

Filesize
48KB

Download
memory/3696-283-0x0000000002B80000-0x0000000002B92000-memory.dmp

Filesize
72KB

Download
memory/3696-284-0x0000000002B90000-0x0000000002B9C000-memory.dmp

Filesize
48KB

Download
memory/3696-286-0x0000000002BA0000-0x0000000002BAC000-memory.dmp

Filesize
48KB

Download
memory/4408-715-0x00000000008F0000-0x0000000000902000-memory.dmp

Filesize
72KB

Download
memory/4452-699-0x0000000001230000-0x0000000001242000-memory.dmp

Filesize
72KB

Download
memory/4656-668-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/4816-182-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/4816-181-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download