dcrat | 9a3a04d510ab0bf2d9b37ffd499e3fa064712ef15228758c0da33c6478101c8c

Analysis

max time kernel
150s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a3a04d510ab0bf2d9b37ffd499e3fa064712ef15228758c0da33c6478101c8c.exe
Size

1.3MB
MD5

45553dd4d4585a0595ec617842bd94d0
SHA1

738676f73d209d3f600f55bf64c8d1fe72902240
SHA256

9a3a04d510ab0bf2d9b37ffd499e3fa064712ef15228758c0da33c6478101c8c
SHA512

995c66cb8279428d93a8b62b93748ba9bd8183d86ee99e751fdebbb6bcc8931b6e4215854ceb501870766f9c7950a9d56612c034088d5cdb63da42b29eff3542
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	5052	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	5052	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	5052	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	5052	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	5052	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	5052	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	5052	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	5052	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	5052	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	5052	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	5052	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	5052	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	5052	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	5052	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	5052	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	5052	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	5052	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	5052	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001abba-284.dat	dcrat
behavioral1/files/0x000900000001abba-285.dat	dcrat
behavioral1/memory/3704-286-0x0000000000AB0000-0x0000000000BC0000-memory.dmp	dcrat
behavioral1/files/0x000600000001abd5-514.dat	dcrat
behavioral1/files/0x000600000001abd5-515.dat	dcrat
behavioral1/files/0x000600000001abd5-549.dat	dcrat
behavioral1/files/0x000600000001abd5-555.dat	dcrat
behavioral1/files/0x000600000001abd5-561.dat	dcrat
behavioral1/files/0x000600000001abd5-567.dat	dcrat
behavioral1/files/0x000600000001abd5-572.dat	dcrat
behavioral1/files/0x000600000001abd5-578.dat	dcrat
behavioral1/files/0x000600000001abd5-583.dat	dcrat
behavioral1/files/0x000600000001abd5-589.dat	dcrat
behavioral1/files/0x000600000001abd5-594.dat	dcrat
behavioral1/files/0x000600000001abd5-599.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
3704	DllCommonsvc.exe
3796	explorer.exe
4272	explorer.exe
4944	explorer.exe
4732	explorer.exe
3180	explorer.exe
1656	explorer.exe
4808	explorer.exe
1540	explorer.exe
2128	explorer.exe
1484	explorer.exe
4664	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\services.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\cc11b995f2a76d	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\INF\.NET CLR Data\0411\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\INF\.NET CLR Data\0411\7a0fd90576e088	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4636	schtasks.exe
4604	schtasks.exe
4724	schtasks.exe
2988	schtasks.exe
3984	schtasks.exe
3080	schtasks.exe
4668	schtasks.exe
4416	schtasks.exe
4596	schtasks.exe
4576	schtasks.exe
4588	schtasks.exe
1984	schtasks.exe
5072	schtasks.exe
4528	schtasks.exe
4564	schtasks.exe
2468	schtasks.exe
4392	schtasks.exe
4704	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	9a3a04d510ab0bf2d9b37ffd499e3fa064712ef15228758c0da33c6478101c8c.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
3704	DllCommonsvc.exe
3704	DllCommonsvc.exe
3704	DllCommonsvc.exe
3704	DllCommonsvc.exe
424	powershell.exe
3992	powershell.exe
424	powershell.exe
4112	powershell.exe
4736	powershell.exe
1068	powershell.exe
4736	powershell.exe
4772	powershell.exe
1416	powershell.exe
1416	powershell.exe
4736	powershell.exe
3992	powershell.exe
424	powershell.exe
4772	powershell.exe
1068	powershell.exe
1416	powershell.exe
4112	powershell.exe
3992	powershell.exe
4772	powershell.exe
1068	powershell.exe
4112	powershell.exe
3796	explorer.exe
4272	explorer.exe
4944	explorer.exe
4732	explorer.exe
3180	explorer.exe
1656	explorer.exe
4808	explorer.exe
1540	explorer.exe
2128	explorer.exe
1484	explorer.exe
4664	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3704	DllCommonsvc.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeIncreaseQuotaPrivilege	4736	powershell.exe
Token: SeSecurityPrivilege	4736	powershell.exe
Token: SeTakeOwnershipPrivilege	4736	powershell.exe
Token: SeLoadDriverPrivilege	4736	powershell.exe
Token: SeSystemProfilePrivilege	4736	powershell.exe
Token: SeSystemtimePrivilege	4736	powershell.exe
Token: SeProfSingleProcessPrivilege	4736	powershell.exe
Token: SeIncBasePriorityPrivilege	4736	powershell.exe
Token: SeCreatePagefilePrivilege	4736	powershell.exe
Token: SeBackupPrivilege	4736	powershell.exe
Token: SeRestorePrivilege	4736	powershell.exe
Token: SeShutdownPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeSystemEnvironmentPrivilege	4736	powershell.exe
Token: SeRemoteShutdownPrivilege	4736	powershell.exe
Token: SeUndockPrivilege	4736	powershell.exe
Token: SeManageVolumePrivilege	4736	powershell.exe
Token: 33	4736	powershell.exe
Token: 34	4736	powershell.exe
Token: 35	4736	powershell.exe
Token: 36	4736	powershell.exe
Token: SeIncreaseQuotaPrivilege	424	powershell.exe
Token: SeSecurityPrivilege	424	powershell.exe
Token: SeTakeOwnershipPrivilege	424	powershell.exe
Token: SeLoadDriverPrivilege	424	powershell.exe
Token: SeSystemProfilePrivilege	424	powershell.exe
Token: SeSystemtimePrivilege	424	powershell.exe
Token: SeProfSingleProcessPrivilege	424	powershell.exe
Token: SeIncBasePriorityPrivilege	424	powershell.exe
Token: SeCreatePagefilePrivilege	424	powershell.exe
Token: SeBackupPrivilege	424	powershell.exe
Token: SeRestorePrivilege	424	powershell.exe
Token: SeShutdownPrivilege	424	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeSystemEnvironmentPrivilege	424	powershell.exe
Token: SeRemoteShutdownPrivilege	424	powershell.exe
Token: SeUndockPrivilege	424	powershell.exe
Token: SeManageVolumePrivilege	424	powershell.exe
Token: 33	424	powershell.exe
Token: 34	424	powershell.exe
Token: 35	424	powershell.exe
Token: 36	424	powershell.exe
Token: SeIncreaseQuotaPrivilege	1416	powershell.exe
Token: SeSecurityPrivilege	1416	powershell.exe
Token: SeTakeOwnershipPrivilege	1416	powershell.exe
Token: SeLoadDriverPrivilege	1416	powershell.exe
Token: SeSystemProfilePrivilege	1416	powershell.exe
Token: SeSystemtimePrivilege	1416	powershell.exe
Token: SeProfSingleProcessPrivilege	1416	powershell.exe
Token: SeIncBasePriorityPrivilege	1416	powershell.exe
Token: SeCreatePagefilePrivilege	1416	powershell.exe
Token: SeBackupPrivilege	1416	powershell.exe
Token: SeRestorePrivilege	1416	powershell.exe
Token: SeShutdownPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeSystemEnvironmentPrivilege	1416	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 3480	2840	9a3a04d510ab0bf2d9b37ffd499e3fa064712ef15228758c0da33c6478101c8c.exe	66
PID 2840 wrote to memory of 3480	2840	9a3a04d510ab0bf2d9b37ffd499e3fa064712ef15228758c0da33c6478101c8c.exe	66
PID 2840 wrote to memory of 3480	2840	9a3a04d510ab0bf2d9b37ffd499e3fa064712ef15228758c0da33c6478101c8c.exe	66
PID 3480 wrote to memory of 2212	3480	WScript.exe	67
PID 3480 wrote to memory of 2212	3480	WScript.exe	67
PID 3480 wrote to memory of 2212	3480	WScript.exe	67
PID 2212 wrote to memory of 3704	2212	cmd.exe	69
PID 2212 wrote to memory of 3704	2212	cmd.exe	69
PID 3704 wrote to memory of 4736	3704	DllCommonsvc.exe	89
PID 3704 wrote to memory of 4736	3704	DllCommonsvc.exe	89
PID 3704 wrote to memory of 3992	3704	DllCommonsvc.exe	93
PID 3704 wrote to memory of 3992	3704	DllCommonsvc.exe	93
PID 3704 wrote to memory of 424	3704	DllCommonsvc.exe	92
PID 3704 wrote to memory of 424	3704	DllCommonsvc.exe	92
PID 3704 wrote to memory of 4112	3704	DllCommonsvc.exe	94
PID 3704 wrote to memory of 4112	3704	DllCommonsvc.exe	94
PID 3704 wrote to memory of 4772	3704	DllCommonsvc.exe	95
PID 3704 wrote to memory of 4772	3704	DllCommonsvc.exe	95
PID 3704 wrote to memory of 1068	3704	DllCommonsvc.exe	96
PID 3704 wrote to memory of 1068	3704	DllCommonsvc.exe	96
PID 3704 wrote to memory of 1416	3704	DllCommonsvc.exe	100
PID 3704 wrote to memory of 1416	3704	DllCommonsvc.exe	100
PID 3704 wrote to memory of 656	3704	DllCommonsvc.exe	103
PID 3704 wrote to memory of 656	3704	DllCommonsvc.exe	103
PID 656 wrote to memory of 2964	656	cmd.exe	105
PID 656 wrote to memory of 2964	656	cmd.exe	105
PID 656 wrote to memory of 3796	656	cmd.exe	107
PID 656 wrote to memory of 3796	656	cmd.exe	107
PID 3796 wrote to memory of 1260	3796	explorer.exe	108
PID 3796 wrote to memory of 1260	3796	explorer.exe	108
PID 1260 wrote to memory of 4296	1260	cmd.exe	110
PID 1260 wrote to memory of 4296	1260	cmd.exe	110
PID 1260 wrote to memory of 4272	1260	cmd.exe	111
PID 1260 wrote to memory of 4272	1260	cmd.exe	111
PID 4272 wrote to memory of 780	4272	explorer.exe	112
PID 4272 wrote to memory of 780	4272	explorer.exe	112
PID 780 wrote to memory of 4432	780	cmd.exe	114
PID 780 wrote to memory of 4432	780	cmd.exe	114
PID 780 wrote to memory of 4944	780	cmd.exe	115
PID 780 wrote to memory of 4944	780	cmd.exe	115
PID 4944 wrote to memory of 4360	4944	explorer.exe	116
PID 4944 wrote to memory of 4360	4944	explorer.exe	116
PID 4360 wrote to memory of 2304	4360	cmd.exe	118
PID 4360 wrote to memory of 2304	4360	cmd.exe	118
PID 4360 wrote to memory of 4732	4360	cmd.exe	119
PID 4360 wrote to memory of 4732	4360	cmd.exe	119
PID 4732 wrote to memory of 4576	4732	explorer.exe	120
PID 4732 wrote to memory of 4576	4732	explorer.exe	120
PID 4576 wrote to memory of 3784	4576	cmd.exe	122
PID 4576 wrote to memory of 3784	4576	cmd.exe	122
PID 4576 wrote to memory of 3180	4576	cmd.exe	123
PID 4576 wrote to memory of 3180	4576	cmd.exe	123
PID 3180 wrote to memory of 3132	3180	explorer.exe	124
PID 3180 wrote to memory of 3132	3180	explorer.exe	124
PID 3132 wrote to memory of 3760	3132	cmd.exe	126
PID 3132 wrote to memory of 3760	3132	cmd.exe	126
PID 3132 wrote to memory of 1656	3132	cmd.exe	127
PID 3132 wrote to memory of 1656	3132	cmd.exe	127
PID 1656 wrote to memory of 1488	1656	explorer.exe	128
PID 1656 wrote to memory of 1488	1656	explorer.exe	128
PID 1488 wrote to memory of 1412	1488	cmd.exe	130
PID 1488 wrote to memory of 1412	1488	cmd.exe	130
PID 1488 wrote to memory of 4808	1488	cmd.exe	131
PID 1488 wrote to memory of 4808	1488	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\9a3a04d510ab0bf2d9b37ffd499e3fa064712ef15228758c0da33c6478101c8c.exe
"C:\Users\Admin\AppData\Local\Temp\9a3a04d510ab0bf2d9b37ffd499e3fa064712ef15228758c0da33c6478101c8c.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\.NET CLR Data\0411\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EAiji8mFha.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:656
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2964
      - C:\Windows\INF\.NET CLR Data\0411\explorer.exe
        
        "C:\Windows\INF\.NET CLR Data\0411\explorer.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4296
        
        C:\Windows\INF\.NET CLR Data\0411\explorer.exe
        
        "C:\Windows\INF\.NET CLR Data\0411\explorer.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4432
        
        C:\Windows\INF\.NET CLR Data\0411\explorer.exe
        
        "C:\Windows\INF\.NET CLR Data\0411\explorer.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2304
        
        C:\Windows\INF\.NET CLR Data\0411\explorer.exe
        
        "C:\Windows\INF\.NET CLR Data\0411\explorer.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3784
        
        C:\Windows\INF\.NET CLR Data\0411\explorer.exe
        
        "C:\Windows\INF\.NET CLR Data\0411\explorer.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3760
        
        C:\Windows\INF\.NET CLR Data\0411\explorer.exe
        
        "C:\Windows\INF\.NET CLR Data\0411\explorer.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1412
        
        C:\Windows\INF\.NET CLR Data\0411\explorer.exe
        
        "C:\Windows\INF\.NET CLR Data\0411\explorer.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat"
        19⤵
        
        PID:3108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2204
        
        C:\Windows\INF\.NET CLR Data\0411\explorer.exe
        
        "C:\Windows\INF\.NET CLR Data\0411\explorer.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
        21⤵
        
        PID:2508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:5064
        
        C:\Windows\INF\.NET CLR Data\0411\explorer.exe
        
        "C:\Windows\INF\.NET CLR Data\0411\explorer.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
        23⤵
        
        PID:4760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3352
        
        C:\Windows\INF\.NET CLR Data\0411\explorer.exe
        
        "C:\Windows\INF\.NET CLR Data\0411\explorer.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat"
        25⤵
        
        PID:1296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3816
        
        C:\Windows\INF\.NET CLR Data\0411\explorer.exe
        
        "C:\Windows\INF\.NET CLR Data\0411\explorer.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\INF\.NET CLR Data\0411\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\INF\.NET CLR Data\0411\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\.NET CLR Data\0411\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a1a73250d1da6eba1f213bd2be2df2d5

SHA1
d4e97f3200649369c7ff767eb72f58ac5b82819b

SHA256
742abcf8f3e45ea3dfad1423e92acda2f20293637eadd0d1e9aaf820517071ef

SHA512
034642e039b076b2a960963a156577210ffc95b829af9a080f5be5328ef5d43a816e40b856618acd74a58f6328b74e1c27b03c83f3f66b2401f81a794e4ec634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a1a73250d1da6eba1f213bd2be2df2d5

SHA1
d4e97f3200649369c7ff767eb72f58ac5b82819b

SHA256
742abcf8f3e45ea3dfad1423e92acda2f20293637eadd0d1e9aaf820517071ef

SHA512
034642e039b076b2a960963a156577210ffc95b829af9a080f5be5328ef5d43a816e40b856618acd74a58f6328b74e1c27b03c83f3f66b2401f81a794e4ec634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
82f7dd2b0214cf2e1d849478ad5b04d0

SHA1
6d8e4bda2ed7c32250daa0edbf67738fd8109798

SHA256
48fc26a3cff8665b6c8aa7c358fdd28ba5c90f1e86c53fecd7d6bc0322d3b9b8

SHA512
d66e634f81ab3165086793f4b2490d87b5c0c590c2ebafbc3a75afc1e132d77c8bc4ec1940e38e4b818222e9ca6e657e72719a649c099a9470827a598ac67304

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4158e99cbe1e3ae856753bdb5aac59aa

SHA1
6475a9e8d6702a78dbbcb0d23d9545bab3d644cc

SHA256
fbaa696f4925f7587e5aec17bf0791a881a2075201c74b173ab4288538225636

SHA512
ecdab10f6b01627ebdbd112c52376ad755e8d50e72bf52a231fc16970a01fa0a3e01b452877f871edeb0d50cd15e5a48a73d9b3ef8c5c98a2d3f6ec9b71dfd59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
983b2ef7a42e6fa98015912c12b342db

SHA1
61f009b4950b9ca858ac18f9b35d83c6e4beab6d

SHA256
629eb4bdad7416be4bbc3a7fb29001f1e612ed28a361e6e2e8368fa9ccaa31d0

SHA512
888c6d388216896a3816bf0d9803303cd5ecbd51b4146da8f569cf196f9db742f2007313575489a8c44218a61918996d04930f30386657f17fbfe507e19ebe69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
97200c078a970b26982158d3633968ad

SHA1
3a0e518193c2e93d7da02675975afdf50dbe07aa

SHA256
c600c7eb88084d4a248b1ac366a40defec43ba8b6f05581cad518157b1015b16

SHA512
899e5c86b52132b11b79e8958549bacaeca91439f32d2f33a96d7ba3a354acc5eef1adde9e9772efe766ba9e3cdee19e24f507e9f877790dc328d636d598c1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

Filesize
211B

MD5
e686ab8bf1350acbd6b7e23d3e2b094a

SHA1
c7d1cdef3ac1604eb306f21789cb39e9b0838ed2

SHA256
d2d14ea200425cd23988bc1dd8bb8b49cdcd98da5ac0743d547d0e119ac89135

SHA512
697aa68f8b313ca896494e1f947d68b87f95705634412cce1557b618cdf1a2034732349193ea9bdf71629f61f1483f38cc252ad5ee8dcb19f3bb9096c06175b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat

Filesize
211B

MD5
5f2cafc52ce6f305955cb54d788bb906

SHA1
d3d37c4df65a95e11c927041752905cb677024fd

SHA256
8eccb53f74007fd51804af5b2a7abaa715cc0e5595c178fb9e8129edd44f90ab

SHA512
2e02a3e20eca4f51e82db7381c8503e9ccba0b0acc99468039f506cd47f7885cfb2df9ddf111bc128c04c2f73a21040745af1e3fd36072977f91324ddef1c284

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat

Filesize
211B

MD5
948d0138cf18a9083b4e61ad3d97d221

SHA1
52784fe3a65ecd30120fa4ed57b9305240afeb01

SHA256
903fd6c4c613577190557b070ff09499dd93ef97239eaf98eb3e7db809292dd4

SHA512
e16eac7d0474057e548853843c34f9f66e68ce92a7b1be13b87b72fcd4ceaf20483e3a2305b452abdf24e6099ee4e57d6a6eb595b628c0c39b4b3f4cc87837da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat

Filesize
211B

MD5
72806418e8c754328b3adfdf8eda611e

SHA1
5f224047722c568bf1e0d0bd0eb9319c379ecc88

SHA256
2970b586fd5039bf7af9e9458a7e7ed0b2b0dd009841d0f46bdabcb9a9147953

SHA512
45cf4579f744c843a7cc8f7108048b2ce037cc35ae54a0ae9d61a60797328cfb40bc36c9cbc6d79f8f46a23547d404455358b99fcc873da2ec48bcf741dc28ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAiji8mFha.bat

Filesize
211B

MD5
17a3aad0476c4d3e828d16063382f672

SHA1
fc75ce5aa8e0ffcd97b1147f4bf2c4fae2935664

SHA256
ff33264313a2daab89e6909ea10c0d9ad933beff38804ea76200157e73a59756

SHA512
376ea48b8fd3cb8c216a57227a4e415dca200db5c9bc4a4c5e6ca7a10bdf026ed3b7006145d2ee505c1ed5b469ed2af0f686f831f30eba2266600ff45b9f2832

Download Submit
C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat

Filesize
211B

MD5
3a9a1a512b06b9df4f892d5cd9b069fb

SHA1
338b2a29d7ac15174ad0a94845cd499a1fb269f8

SHA256
935e73a0a306194fe7a2664b35e656e21f4c86166cdd52539470cbfb2fddabdc

SHA512
92d9a995a895fef9802c74128f389cd13a5df1cea6a3f51c45cdc7314a91d58221ecfe0c0ee0111737ba197a74c492bfe0252f024cbb7d9bc1bcbe75a7c29824

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat

Filesize
211B

MD5
d74f7738571c9ab3522f3bee6c60ea08

SHA1
75313c91794d53fcbe1f8b749be342dcc3630dea

SHA256
5b185518b2648ed2110502c3ab74f48f5d58213791d003be89e7161520cc7432

SHA512
d23b3e30a214b41c095a84117063c3277653c85657d9405ac7d67e86888fb4f215a18ed19422de60054f7e3283d18d7f861801df826fee1ac02f125bc9b8deb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat

Filesize
211B

MD5
9df297fcf311ae26a42c8d41f8ff2273

SHA1
ca6cf6b5e1b8fa58f3c34da59a6db296826d6b67

SHA256
0f4cf3ac4c611078d0021115fd9eb2b60cc2de0a0e7d36296b6badb29a6f0db4

SHA512
c12cd6baf9631db8b5bc1f70ce34f8ab8d387b4601a697d09d2b3eceba8179e61a78106e013afd07bf038aab189069fdc1ba6bec27a8a73a5bce03f497929a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

Filesize
211B

MD5
242640e38006a3597e7cbfb07b26d8f6

SHA1
76ccb052b9f7da18bb4eee697a1efb8d1f0709a6

SHA256
b85c97f4664332bd5cf2ad24fb25f11d1852b84b485af30f3efd1de064afd7ab

SHA512
cbefa91af93bf379f1b3b1b8b2f8a492983aa02d1460cd9a04339e9009fb370ed51aa277b74a0ce234604ee5cf95d03946e47972fe972d70040830a1da9c4165

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat

Filesize
211B

MD5
1fd69076942cc58a57d412c12aaafc36

SHA1
c1a51e4b9d5b3c39d95b35b9d69c6eeff1562628

SHA256
d5a1f99902f11ae94495130899de7f16b11340697fa2a45d4d77b729445f93a6

SHA512
18ed39c4b6d090b27a8799244e09489e0e82a3694259701ae1b1f94dffd002327673dbac30dc896bccff20d5e1e5f74232222109a9d3a5f285d2bfa1f73a282d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat

Filesize
211B

MD5
18d5e5f8b6aeddf1ffb5e5381f563259

SHA1
130bb859b901752dc46eeb50086e43faa96cab49

SHA256
fee3da86a1dbe3bfd507827a2b743cc14e5f71a5fb1585c1345ec225867bcaba

SHA512
c1a1bfc6a523d77c0c32605a234f4c9eddeb60a9975addd58ca86e6c48083833d63bcc6e5a5bb5bf02de8508d21fd89426395152b68c56c4440ffbf8e7f7d5ad

Download Submit
C:\Windows\INF\.NET CLR Data\0411\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\INF\.NET CLR Data\0411\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\INF\.NET CLR Data\0411\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\INF\.NET CLR Data\0411\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\INF\.NET CLR Data\0411\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\INF\.NET CLR Data\0411\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\INF\.NET CLR Data\0411\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\INF\.NET CLR Data\0411\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\INF\.NET CLR Data\0411\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\INF\.NET CLR Data\0411\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\INF\.NET CLR Data\0411\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\INF\.NET CLR Data\0411\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1540-584-0x0000000002980000-0x0000000002992000-memory.dmp

Filesize
72KB

Download
memory/1656-573-0x0000000001690000-0x00000000016A2000-memory.dmp

Filesize
72KB

Download
memory/2840-160-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-152-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-178-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-179-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-180-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-181-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-182-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-183-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-121-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-122-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-123-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-176-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-175-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-174-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-125-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-173-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-172-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-126-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-128-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-129-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-130-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-131-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-132-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-133-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-170-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-171-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-169-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-134-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-135-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-168-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-136-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-137-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-138-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-167-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-139-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-166-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-165-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-140-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-164-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-163-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-162-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-161-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-120-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-159-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-158-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-157-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-141-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-156-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-142-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-155-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-177-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-154-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-153-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-143-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-144-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-151-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-145-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-146-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-150-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-149-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-147-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-148-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/3480-186-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/3480-185-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/3704-288-0x0000000002C50000-0x0000000002C5C000-memory.dmp

Filesize
48KB

Download
memory/3704-289-0x0000000001340000-0x000000000134C000-memory.dmp

Filesize
48KB

Download
memory/3704-290-0x0000000002C40000-0x0000000002C4C000-memory.dmp

Filesize
48KB

Download
memory/3704-286-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

Filesize
1.1MB

Download
memory/3704-287-0x0000000001320000-0x0000000001332000-memory.dmp

Filesize
72KB

Download
memory/3796-516-0x0000000000D30000-0x0000000000D42000-memory.dmp

Filesize
72KB

Download
memory/3992-327-0x000002ABB8760000-0x000002ABB8782000-memory.dmp

Filesize
136KB

Download
memory/4732-562-0x0000000000DD0000-0x0000000000DE2000-memory.dmp

Filesize
72KB

Download
memory/4736-332-0x0000016E76C00000-0x0000016E76C76000-memory.dmp

Filesize
472KB

Download
memory/4944-556-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download