dcrat | b9b0151baca543976a3ced7d89886683774af9768d8b1e4bb2f9b67efea17d55

Analysis

max time kernel
146s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01-11-2022 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9b0151baca543976a3ced7d89886683774af9768d8b1e4bb2f9b67efea17d55.exe
Size

1.3MB
MD5

130d5341589310f12814b9d879ddef10
SHA1

705a8925b5af7377e1317ad4663f3b6acfc51add
SHA256

b9b0151baca543976a3ced7d89886683774af9768d8b1e4bb2f9b67efea17d55
SHA512

ced9d37666f5196bb2b15e56b2bb5325e035c3ac87d14627d73835937dacbfe01d0bf282edddad6cde668a79eb148d4a9bfa766386ffb1da7094ceeea9d99cfb
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	5088	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	5088	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac1c-280.dat	dcrat
behavioral1/files/0x000800000001ac1c-281.dat	dcrat
behavioral1/memory/4756-282-0x00000000009D0000-0x0000000000AE0000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac21-505.dat	dcrat
behavioral1/files/0x000600000001ac21-507.dat	dcrat
behavioral1/files/0x000600000001ac21-612.dat	dcrat
behavioral1/files/0x000600000001ac21-618.dat	dcrat
behavioral1/files/0x000600000001ac21-624.dat	dcrat
behavioral1/files/0x000600000001ac21-629.dat	dcrat
behavioral1/files/0x000600000001ac21-634.dat	dcrat
behavioral1/files/0x000600000001ac21-640.dat	dcrat
behavioral1/files/0x000600000001ac21-646.dat	dcrat
behavioral1/files/0x000600000001ac21-652.dat	dcrat
behavioral1/files/0x000600000001ac21-657.dat	dcrat
behavioral1/files/0x000600000001ac21-662.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
4756	DllCommonsvc.exe
2276	cmd.exe
4824	cmd.exe
1720	cmd.exe
2976	cmd.exe
4812	cmd.exe
4248	cmd.exe
3724	cmd.exe
2452	cmd.exe
3996	cmd.exe
316	cmd.exe
5080	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4856	schtasks.exe
4936	schtasks.exe
4412	schtasks.exe
4796	schtasks.exe
528	schtasks.exe
4940	schtasks.exe
4956	schtasks.exe
4888	schtasks.exe
920	schtasks.exe
788	schtasks.exe
1296	schtasks.exe
1560	schtasks.exe
436	schtasks.exe
4784	schtasks.exe
1688	schtasks.exe
764	schtasks.exe
4700	schtasks.exe
4288	schtasks.exe
3624	schtasks.exe
4988	schtasks.exe
604	schtasks.exe
608	schtasks.exe
1188	schtasks.exe
4360	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	b9b0151baca543976a3ced7d89886683774af9768d8b1e4bb2f9b67efea17d55.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4756	DllCommonsvc.exe
4756	DllCommonsvc.exe
4756	DllCommonsvc.exe
4756	DllCommonsvc.exe
4756	DllCommonsvc.exe
4756	DllCommonsvc.exe
4756	DllCommonsvc.exe
4756	DllCommonsvc.exe
4756	DllCommonsvc.exe
4756	DllCommonsvc.exe
4756	DllCommonsvc.exe
1432	powershell.exe
1432	powershell.exe
1420	powershell.exe
1788	powershell.exe
380	powershell.exe
3376	powershell.exe
1420	powershell.exe
668	powershell.exe
204	powershell.exe
380	powershell.exe
2680	powershell.exe
3376	powershell.exe
1176	powershell.exe
204	powershell.exe
3376	powershell.exe
3376	powershell.exe
380	powershell.exe
1432	powershell.exe
1788	powershell.exe
1788	powershell.exe
668	powershell.exe
668	powershell.exe
1176	powershell.exe
1176	powershell.exe
2680	powershell.exe
2680	powershell.exe
1420	powershell.exe
1420	powershell.exe
204	powershell.exe
204	powershell.exe
1432	powershell.exe
1788	powershell.exe
668	powershell.exe
1176	powershell.exe
2680	powershell.exe
2276	cmd.exe
2276	cmd.exe
4824	cmd.exe
1720	cmd.exe
2976	cmd.exe
4812	cmd.exe
4248	cmd.exe
3724	cmd.exe
2452	cmd.exe
3996	cmd.exe
316	cmd.exe
5080	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4756	DllCommonsvc.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	204	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeIncreaseQuotaPrivilege	380	powershell.exe
Token: SeSecurityPrivilege	380	powershell.exe
Token: SeTakeOwnershipPrivilege	380	powershell.exe
Token: SeLoadDriverPrivilege	380	powershell.exe
Token: SeSystemProfilePrivilege	380	powershell.exe
Token: SeSystemtimePrivilege	380	powershell.exe
Token: SeProfSingleProcessPrivilege	380	powershell.exe
Token: SeIncBasePriorityPrivilege	380	powershell.exe
Token: SeCreatePagefilePrivilege	380	powershell.exe
Token: SeBackupPrivilege	380	powershell.exe
Token: SeRestorePrivilege	380	powershell.exe
Token: SeShutdownPrivilege	380	powershell.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeSystemEnvironmentPrivilege	380	powershell.exe
Token: SeRemoteShutdownPrivilege	380	powershell.exe
Token: SeUndockPrivilege	380	powershell.exe
Token: SeManageVolumePrivilege	380	powershell.exe
Token: 33	380	powershell.exe
Token: 34	380	powershell.exe
Token: 35	380	powershell.exe
Token: 36	380	powershell.exe
Token: SeIncreaseQuotaPrivilege	3376	powershell.exe
Token: SeSecurityPrivilege	3376	powershell.exe
Token: SeTakeOwnershipPrivilege	3376	powershell.exe
Token: SeLoadDriverPrivilege	3376	powershell.exe
Token: SeSystemProfilePrivilege	3376	powershell.exe
Token: SeSystemtimePrivilege	3376	powershell.exe
Token: SeProfSingleProcessPrivilege	3376	powershell.exe
Token: SeIncBasePriorityPrivilege	3376	powershell.exe
Token: SeCreatePagefilePrivilege	3376	powershell.exe
Token: SeBackupPrivilege	3376	powershell.exe
Token: SeRestorePrivilege	3376	powershell.exe
Token: SeShutdownPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeSystemEnvironmentPrivilege	3376	powershell.exe
Token: SeRemoteShutdownPrivilege	3376	powershell.exe
Token: SeUndockPrivilege	3376	powershell.exe
Token: SeManageVolumePrivilege	3376	powershell.exe
Token: 33	3376	powershell.exe
Token: 34	3376	powershell.exe
Token: 35	3376	powershell.exe
Token: 36	3376	powershell.exe
Token: SeDebugPrivilege	2276	cmd.exe
Token: SeIncreaseQuotaPrivilege	1420	powershell.exe
Token: SeSecurityPrivilege	1420	powershell.exe
Token: SeTakeOwnershipPrivilege	1420	powershell.exe
Token: SeLoadDriverPrivilege	1420	powershell.exe
Token: SeSystemProfilePrivilege	1420	powershell.exe
Token: SeSystemtimePrivilege	1420	powershell.exe
Token: SeProfSingleProcessPrivilege	1420	powershell.exe
Token: SeIncBasePriorityPrivilege	1420	powershell.exe
Token: SeCreatePagefilePrivilege	1420	powershell.exe
Token: SeBackupPrivilege	1420	powershell.exe
Token: SeRestorePrivilege	1420	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 4352	4208	b9b0151baca543976a3ced7d89886683774af9768d8b1e4bb2f9b67efea17d55.exe	66
PID 4208 wrote to memory of 4352	4208	b9b0151baca543976a3ced7d89886683774af9768d8b1e4bb2f9b67efea17d55.exe	66
PID 4208 wrote to memory of 4352	4208	b9b0151baca543976a3ced7d89886683774af9768d8b1e4bb2f9b67efea17d55.exe	66
PID 4352 wrote to memory of 1372	4352	WScript.exe	67
PID 4352 wrote to memory of 1372	4352	WScript.exe	67
PID 4352 wrote to memory of 1372	4352	WScript.exe	67
PID 1372 wrote to memory of 4756	1372	cmd.exe	69
PID 1372 wrote to memory of 4756	1372	cmd.exe	69
PID 4756 wrote to memory of 1788	4756	DllCommonsvc.exe	95
PID 4756 wrote to memory of 1788	4756	DllCommonsvc.exe	95
PID 4756 wrote to memory of 1432	4756	DllCommonsvc.exe	96
PID 4756 wrote to memory of 1432	4756	DllCommonsvc.exe	96
PID 4756 wrote to memory of 1420	4756	DllCommonsvc.exe	103
PID 4756 wrote to memory of 1420	4756	DllCommonsvc.exe	103
PID 4756 wrote to memory of 380	4756	DllCommonsvc.exe	97
PID 4756 wrote to memory of 380	4756	DllCommonsvc.exe	97
PID 4756 wrote to memory of 668	4756	DllCommonsvc.exe	98
PID 4756 wrote to memory of 668	4756	DllCommonsvc.exe	98
PID 4756 wrote to memory of 3376	4756	DllCommonsvc.exe	99
PID 4756 wrote to memory of 3376	4756	DllCommonsvc.exe	99
PID 4756 wrote to memory of 204	4756	DllCommonsvc.exe	105
PID 4756 wrote to memory of 204	4756	DllCommonsvc.exe	105
PID 4756 wrote to memory of 2680	4756	DllCommonsvc.exe	111
PID 4756 wrote to memory of 2680	4756	DllCommonsvc.exe	111
PID 4756 wrote to memory of 1176	4756	DllCommonsvc.exe	107
PID 4756 wrote to memory of 1176	4756	DllCommonsvc.exe	107
PID 4756 wrote to memory of 2276	4756	DllCommonsvc.exe	113
PID 4756 wrote to memory of 2276	4756	DllCommonsvc.exe	113
PID 2276 wrote to memory of 1488	2276	cmd.exe	115
PID 2276 wrote to memory of 1488	2276	cmd.exe	115
PID 1488 wrote to memory of 1936	1488	cmd.exe	117
PID 1488 wrote to memory of 1936	1488	cmd.exe	117
PID 1488 wrote to memory of 4824	1488	cmd.exe	118
PID 1488 wrote to memory of 4824	1488	cmd.exe	118
PID 4824 wrote to memory of 4072	4824	cmd.exe	119
PID 4824 wrote to memory of 4072	4824	cmd.exe	119
PID 4072 wrote to memory of 1400	4072	cmd.exe	121
PID 4072 wrote to memory of 1400	4072	cmd.exe	121
PID 4072 wrote to memory of 1720	4072	cmd.exe	122
PID 4072 wrote to memory of 1720	4072	cmd.exe	122
PID 1720 wrote to memory of 4032	1720	cmd.exe	123
PID 1720 wrote to memory of 4032	1720	cmd.exe	123
PID 4032 wrote to memory of 2620	4032	cmd.exe	125
PID 4032 wrote to memory of 2620	4032	cmd.exe	125
PID 4032 wrote to memory of 2976	4032	cmd.exe	126
PID 4032 wrote to memory of 2976	4032	cmd.exe	126
PID 2976 wrote to memory of 3892	2976	cmd.exe	127
PID 2976 wrote to memory of 3892	2976	cmd.exe	127
PID 3892 wrote to memory of 4948	3892	cmd.exe	129
PID 3892 wrote to memory of 4948	3892	cmd.exe	129
PID 3892 wrote to memory of 4812	3892	cmd.exe	130
PID 3892 wrote to memory of 4812	3892	cmd.exe	130
PID 4812 wrote to memory of 708	4812	cmd.exe	133
PID 4812 wrote to memory of 708	4812	cmd.exe	133
PID 708 wrote to memory of 2820	708	cmd.exe	131
PID 708 wrote to memory of 2820	708	cmd.exe	131
PID 708 wrote to memory of 4248	708	cmd.exe	134
PID 708 wrote to memory of 4248	708	cmd.exe	134
PID 4248 wrote to memory of 4268	4248	cmd.exe	135
PID 4248 wrote to memory of 4268	4248	cmd.exe	135
PID 4268 wrote to memory of 4016	4268	cmd.exe	137
PID 4268 wrote to memory of 4016	4268	cmd.exe	137
PID 4268 wrote to memory of 3724	4268	cmd.exe	138
PID 4268 wrote to memory of 3724	4268	cmd.exe	138

C:\Users\Admin\AppData\Local\Temp\b9b0151baca543976a3ced7d89886683774af9768d8b1e4bb2f9b67efea17d55.exe
"C:\Users\Admin\AppData\Local\Temp\b9b0151baca543976a3ced7d89886683774af9768d8b1e4bb2f9b67efea17d55.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Oracle\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1936
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1400
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2620
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4948
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4016
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat"
        18⤵
        
        PID:1428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2512
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat"
        20⤵
        
        PID:4892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2220
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"
        22⤵
        
        PID:1252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1432
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat"
        24⤵
        
        PID:3360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1488
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5pDZQI1oOH.bat"
        26⤵
        
        PID:3752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\odt\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Oracle\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Oracle\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5ae6f0f620cf9ce16151dcc10681960a

SHA1
bdf55f4fd97ba5b49bb0b973bdfd59612c80eb1c

SHA256
859ad953a6804b021ddc01ee2f32b2d597849a2a480b4f38b0e45d67b673d911

SHA512
97bf6274791f75e8943129095b82150094b789e268f98960114837a2b0c2776c1ddd5c394c8e4b04bd4af684c4af4f4caea42d07134af3e2611d02571ada36fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5ae6f0f620cf9ce16151dcc10681960a

SHA1
bdf55f4fd97ba5b49bb0b973bdfd59612c80eb1c

SHA256
859ad953a6804b021ddc01ee2f32b2d597849a2a480b4f38b0e45d67b673d911

SHA512
97bf6274791f75e8943129095b82150094b789e268f98960114837a2b0c2776c1ddd5c394c8e4b04bd4af684c4af4f4caea42d07134af3e2611d02571ada36fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3361a9cee0c9a0a0165572f0adbe859a

SHA1
cf74f7e1fdf7a373532cf48badbd703d981a7be3

SHA256
f5ba3fac7070d9edea3ddc2e32b52a3bf4478318a909d9cd5f57c347f0941a14

SHA512
380f2f78b11bb58d5c4c527b601d39723ce50c4f5320d3f2c42d0121510cbc45cd5789380c0c1d57457ad4e8c4adf425f54009d9083e09347d5fb5e0c91bc750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7ca83017a43e5872dd1b1a36bd9e1bf3

SHA1
81d02aaeee7d004b5e3889750b18d66bd00862ca

SHA256
79811829e3ed8888557ca43d47f5d46ceb8ec14b62d63de10e1ef1c6c11a0b3d

SHA512
831b6b2d2bb5f08075287e03330427de791f268a50eebd9af428a71b24fde2c6441db5d1408b3ee87563c114c5854eee4679079d607bbe43a1226b2a5a3a79ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3361a9cee0c9a0a0165572f0adbe859a

SHA1
cf74f7e1fdf7a373532cf48badbd703d981a7be3

SHA256
f5ba3fac7070d9edea3ddc2e32b52a3bf4478318a909d9cd5f57c347f0941a14

SHA512
380f2f78b11bb58d5c4c527b601d39723ce50c4f5320d3f2c42d0121510cbc45cd5789380c0c1d57457ad4e8c4adf425f54009d9083e09347d5fb5e0c91bc750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
960cc43e23219ef4d29855f9c75a5009

SHA1
9f09defcba635688af31f0d0d46b476e74b995f3

SHA256
4e6d9ed1a299fb407a3cbf8dc11fe544d5e0bc0e9df6759b6121ddc22ea5ada8

SHA512
942a1911555c828a5e3b5847ee91c53b422429a0cb400febf3d108eef10d4c9be346fb5e22b0967adf4f905dd9dcb144c450144bbf806f5709f2d2e9fe8bad41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
960cc43e23219ef4d29855f9c75a5009

SHA1
9f09defcba635688af31f0d0d46b476e74b995f3

SHA256
4e6d9ed1a299fb407a3cbf8dc11fe544d5e0bc0e9df6759b6121ddc22ea5ada8

SHA512
942a1911555c828a5e3b5847ee91c53b422429a0cb400febf3d108eef10d4c9be346fb5e22b0967adf4f905dd9dcb144c450144bbf806f5709f2d2e9fe8bad41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
960cc43e23219ef4d29855f9c75a5009

SHA1
9f09defcba635688af31f0d0d46b476e74b995f3

SHA256
4e6d9ed1a299fb407a3cbf8dc11fe544d5e0bc0e9df6759b6121ddc22ea5ada8

SHA512
942a1911555c828a5e3b5847ee91c53b422429a0cb400febf3d108eef10d4c9be346fb5e22b0967adf4f905dd9dcb144c450144bbf806f5709f2d2e9fe8bad41

Download Submit
C:\Users\Admin\AppData\Local\Temp\5pDZQI1oOH.bat

Filesize
194B

MD5
118d6cff521494e5af7a2d37356b325e

SHA1
4627437169dbd1e69d49d0ff7e59546fe3ed9a43

SHA256
3bae2c567053ef7dcfb8c67ad68a6545d982075a768c5938a16587f6ea36cd74

SHA512
897fefa3857c5f8a34a4487ec75980abc692acb2d5a1be728b86132980002ea60e68f19b9210479da28d4c6e079042d643c804589c80290669e41191b9f67867

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat

Filesize
194B

MD5
bccedca024dbf2c4378fe261aa1632ff

SHA1
3f8ad4d8e8b58af58bb333389ab98caf4f8442f0

SHA256
41f23f7dc058f9cf576d8d801d9a0f1a2c38710200a60edbea28815a79dabec8

SHA512
1e12c466a2b0d56c94d7b26de9e5b85a9390e8af720533355179b71235cbbac6d659368c4d71116d72fc6e03b8ed650bc2d19a7d6ae5d730ccdd0b6c61c48728

Download Submit
C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat

Filesize
194B

MD5
fccd7d725adbb6b746135fd90917a7ab

SHA1
93a43437c3c6560909be44eef2184c843e71beda

SHA256
2f4c92e395a1b1fb09f5a89181734c50466e173150d632fda3128a4c16d89c0c

SHA512
054c2c95c7a528338697bd96534db0553c6bc1bb9535000847321a935dc1876226fff580463710fdd3f5c4bc068ead54622105fb1f60fb13eac80ffa13c4aca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat

Filesize
194B

MD5
7dc601f7e4af5ce331a890c3d07b0887

SHA1
ddcea67a15380c4c3c1e136c184a405a52b94db9

SHA256
9e453b75890a0501850c2da57ec2404aa21d806e96fde06ebaa4d5c64c9bee31

SHA512
e2f5788c2728e5c99dbc5486b8fc8487556af5cc2ea655c4987556bc199b32840c86561b7e4747fc80aaf6792aff5ddc79b1f5ca32b79669536ab2e2f3bcbe04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat

Filesize
194B

MD5
b5e84d823d4270100eb16b3302b9b858

SHA1
fb4c845974ee5be8ffd109353fb064f2d025ffad

SHA256
311dc0de1fab9c9345313e569b7126dd1830e7f9c49fc908ffb5d1af23cd4520

SHA512
959e357768ed3458d0ac7972a899779fe2895e447a03d258c4d76db833cbd64e0a3769beafdcb7bfed6f358d46ea49b36ff736239cc69a7c28ab8c9064ef5fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat

Filesize
194B

MD5
42db5778bd4c43e6b1ec03e8a100fcf8

SHA1
8d5daeac8af14289249a614753247a6a236e4c3c

SHA256
c9dd7cad4d94bb3bd63eaa0c9d18bed408cff348a0749d62203c7d86409beca5

SHA512
7d8299ff79bb4b035a6c97fdbd22de48b86979305554eb4c5e1fb96b06e30de4f258920c2c8978e358e518cba8b7008d77018f205da9afbe02158c08c434f024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat

Filesize
194B

MD5
7922192f6e7bc5f056c08ac13121fd5e

SHA1
ea78df7e57a334babb7c70e3776c5f2a0b0b2267

SHA256
ef5a582cddae8a07a3fa9ef27417e2c67fe654d5750a546074812659b7a34e61

SHA512
29ffea2edf43ee61fffb83612e3050082db1defa9916d6788119c4320759e58383681d0de17351bacba50a096e1a3d2cd4f98c187be480f2aa99b7a71627880d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat

Filesize
194B

MD5
7922192f6e7bc5f056c08ac13121fd5e

SHA1
ea78df7e57a334babb7c70e3776c5f2a0b0b2267

SHA256
ef5a582cddae8a07a3fa9ef27417e2c67fe654d5750a546074812659b7a34e61

SHA512
29ffea2edf43ee61fffb83612e3050082db1defa9916d6788119c4320759e58383681d0de17351bacba50a096e1a3d2cd4f98c187be480f2aa99b7a71627880d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat

Filesize
194B

MD5
d82f2a5b364119b179e80c94e9bbe508

SHA1
db8096b1b46e6d40c016212013f58b06a58ba3a4

SHA256
207e5b801ee500ba2cd6dc1348c19c2edf0d5b88ccec500356a17152281e2d97

SHA512
09643e94e077f4f3e030f6cfc07abeeabec6f423fd4c686180b523d13fd2adcbb96dcd13d588c41518ff861fb4cc26446185b076d09766c78010a39f27b07f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat

Filesize
194B

MD5
840d8633a0340e20dd6b1cc91eeb75d8

SHA1
fbf24df3fc80f125b860f3e4ed045c03d7f174be

SHA256
a22d2f9c30b120386f95eb0574af2bf007e972795ba216d766b7ab25984e7777

SHA512
22c48f4fc7cef4f2dca023e161e299271befc1a70d3e7a4a488bb2e6810dd0b7a1d0e83aa87a32f2b107328c4f7ada8f504544b1d113a9348885bdf990cbd3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat

Filesize
194B

MD5
e84dcac3dbd340d18dfa9c0827188827

SHA1
f60d8a167b2beb29bcbb4c7b6184b3490d0b78a8

SHA256
5e9182e78f3942461b65c0eef44822e228b46b7d1261ede3cf533e7dc575acf4

SHA512
b8526a5fc82635dbf71685f107b634e5f0faab6b0bf9bd394d4e907c0740f7e4d48252d2d3cd9a7b9c4ebaa22f17ff04d7c81abb0b62fc85a3b86c0f86d0d074

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/204-293-0x0000000000000000-mapping.dmp

Download
memory/316-656-0x0000000000000000-mapping.dmp

Download
memory/380-339-0x000002E1F6D00000-0x000002E1F6D76000-memory.dmp

Filesize
472KB

Download
memory/380-290-0x0000000000000000-mapping.dmp

Download
memory/668-291-0x0000000000000000-mapping.dmp

Download
memory/708-630-0x0000000000000000-mapping.dmp

Download
memory/1176-297-0x0000000000000000-mapping.dmp

Download
memory/1252-653-0x0000000000000000-mapping.dmp

Download
memory/1372-256-0x0000000000000000-mapping.dmp

Download
memory/1400-616-0x0000000000000000-mapping.dmp

Download
memory/1420-289-0x0000000000000000-mapping.dmp

Download
memory/1428-642-0x0000000000000000-mapping.dmp

Download
memory/1432-331-0x00000183801E0000-0x0000018380202000-memory.dmp

Filesize
136KB

Download
memory/1432-655-0x0000000000000000-mapping.dmp

Download
memory/1432-288-0x0000000000000000-mapping.dmp

Download
memory/1488-590-0x0000000000000000-mapping.dmp

Download
memory/1488-660-0x0000000000000000-mapping.dmp

Download
memory/1720-619-0x0000000001620000-0x0000000001632000-memory.dmp

Filesize
72KB

Download
memory/1720-617-0x0000000000000000-mapping.dmp

Download
memory/1788-287-0x0000000000000000-mapping.dmp

Download
memory/1936-592-0x0000000000000000-mapping.dmp

Download
memory/2220-650-0x0000000000000000-mapping.dmp

Download
memory/2276-500-0x0000000000000000-mapping.dmp

Download
memory/2276-545-0x00000000014F0000-0x0000000001502000-memory.dmp

Filesize
72KB

Download
memory/2452-645-0x0000000000000000-mapping.dmp

Download
memory/2452-647-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/2512-644-0x0000000000000000-mapping.dmp

Download
memory/2620-622-0x0000000000000000-mapping.dmp

Download
memory/2680-294-0x0000000000000000-mapping.dmp

Download
memory/2820-632-0x0000000000000000-mapping.dmp

Download
memory/2976-623-0x0000000000000000-mapping.dmp

Download
memory/3360-658-0x0000000000000000-mapping.dmp

Download
memory/3376-292-0x0000000000000000-mapping.dmp

Download
memory/3724-641-0x0000000000FF0000-0x0000000001002000-memory.dmp

Filesize
72KB

Download
memory/3724-639-0x0000000000000000-mapping.dmp

Download
memory/3752-663-0x0000000000000000-mapping.dmp

Download
memory/3892-625-0x0000000000000000-mapping.dmp

Download
memory/3996-651-0x0000000000000000-mapping.dmp

Download
memory/4016-638-0x0000000000000000-mapping.dmp

Download
memory/4032-620-0x0000000000000000-mapping.dmp

Download
memory/4072-614-0x0000000000000000-mapping.dmp

Download
memory/4208-131-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-177-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-116-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-155-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-117-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-161-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-118-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-162-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-153-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-119-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-152-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-151-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-156-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-154-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-150-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-147-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-149-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-148-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-146-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-145-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-144-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-143-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-142-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-141-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-163-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-140-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-121-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-139-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-159-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-138-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-158-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-179-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-134-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-122-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-164-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-137-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-124-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-178-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-135-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-157-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-136-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-165-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-125-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-133-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-175-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-176-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-132-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-130-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-166-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-168-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-126-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-160-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-172-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-173-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-128-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-174-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-171-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-129-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-167-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-169-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-127-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4208-170-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4248-635-0x0000000001440000-0x0000000001452000-memory.dmp

Filesize
72KB

Download
memory/4248-633-0x0000000000000000-mapping.dmp

Download
memory/4268-636-0x0000000000000000-mapping.dmp

Download
memory/4352-180-0x0000000000000000-mapping.dmp

Download
memory/4352-182-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4352-181-0x0000000077C20000-0x0000000077DAE000-memory.dmp

Filesize
1.6MB

Download
memory/4756-283-0x0000000000F20000-0x0000000000F32000-memory.dmp

Filesize
72KB

Download
memory/4756-279-0x0000000000000000-mapping.dmp

Download
memory/4756-282-0x00000000009D0000-0x0000000000AE0000-memory.dmp

Filesize
1.1MB

Download
memory/4756-284-0x0000000000F30000-0x0000000000F3C000-memory.dmp

Filesize
48KB

Download
memory/4756-285-0x0000000002B40000-0x0000000002B4C000-memory.dmp

Filesize
48KB

Download
memory/4756-286-0x0000000002B50000-0x0000000002B5C000-memory.dmp

Filesize
48KB

Download
memory/4812-628-0x0000000000000000-mapping.dmp

Download
memory/4824-611-0x0000000000000000-mapping.dmp

Download
memory/4824-665-0x0000000000000000-mapping.dmp

Download
memory/4892-648-0x0000000000000000-mapping.dmp

Download
memory/4948-627-0x0000000000000000-mapping.dmp

Download
memory/5080-661-0x0000000000000000-mapping.dmp

Download