dcrat | 320964491c052392f40ff227f83a556095a2162408e223ea1a83643da4cabff1

Analysis

max time kernel
148s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

320964491c052392f40ff227f83a556095a2162408e223ea1a83643da4cabff1.exe
Size

1.3MB
MD5

5e9865e20474b8fd61f20189345475d2
SHA1

d9dfd15f965e3f952e5c48e2bbb87d846f4b5577
SHA256

320964491c052392f40ff227f83a556095a2162408e223ea1a83643da4cabff1
SHA512

b92ebf8be22bed371274023d711de705d912c013a51089cc4bfcdf9a83ed8e2ea96b04da46686b698c6dad881cdd03a1d1328a3d9ad8f7b63f00197858250c01
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	420	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	504	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	3356	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	3356	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac56-281.dat	dcrat
behavioral1/files/0x000800000001ac56-280.dat	dcrat
behavioral1/memory/1356-282-0x00000000006F0000-0x0000000000800000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac5d-596.dat	dcrat
behavioral1/files/0x000600000001ac5d-597.dat	dcrat
behavioral1/files/0x000600000001ac5d-637.dat	dcrat
behavioral1/files/0x000600000001ac5d-644.dat	dcrat
behavioral1/files/0x000600000001ac5d-650.dat	dcrat
behavioral1/files/0x000600000001ac5d-656.dat	dcrat
behavioral1/files/0x000600000001ac5d-661.dat	dcrat
behavioral1/files/0x000600000001ac5d-666.dat	dcrat
behavioral1/files/0x000600000001ac5d-672.dat	dcrat
behavioral1/files/0x000600000001ac5d-677.dat	dcrat
behavioral1/files/0x000600000001ac5d-682.dat	dcrat
behavioral1/files/0x000600000001ac5d-688.dat	dcrat
behavioral1/files/0x000600000001ac5d-694.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
1356	DllCommonsvc.exe
4580	RuntimeBroker.exe
368	RuntimeBroker.exe
4840	RuntimeBroker.exe
4592	RuntimeBroker.exe
4796	RuntimeBroker.exe
5060	RuntimeBroker.exe
3288	RuntimeBroker.exe
3028	RuntimeBroker.exe
4116	RuntimeBroker.exe
5004	RuntimeBroker.exe
2760	RuntimeBroker.exe
3340	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\5b884080fd4f94	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_netax88772.inf.resources_31bf3856ad364e35_10.0.15063.0_es-es_1a45fe42047ae5bc\explorer.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3692	schtasks.exe
4992	schtasks.exe
3920	schtasks.exe
3772	schtasks.exe
420	schtasks.exe
592	schtasks.exe
4772	schtasks.exe
4744	schtasks.exe
3976	schtasks.exe
3852	schtasks.exe
1948	schtasks.exe
4904	schtasks.exe
504	schtasks.exe
4820	schtasks.exe
1080	schtasks.exe
4952	schtasks.exe
4628	schtasks.exe
4440	schtasks.exe
4456	schtasks.exe
4968	schtasks.exe
4892	schtasks.exe
4884	schtasks.exe
4840	schtasks.exe
4956	schtasks.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	320964491c052392f40ff227f83a556095a2162408e223ea1a83643da4cabff1.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
1356	DllCommonsvc.exe
1356	DllCommonsvc.exe
1356	DllCommonsvc.exe
760	powershell.exe
1132	powershell.exe
660	powershell.exe
1196	powershell.exe
1428	powershell.exe
1928	powershell.exe
1088	powershell.exe
1520	powershell.exe
760	powershell.exe
3492	powershell.exe
1428	powershell.exe
1520	powershell.exe
1088	powershell.exe
760	powershell.exe
660	powershell.exe
1132	powershell.exe
1196	powershell.exe
1928	powershell.exe
1428	powershell.exe
1088	powershell.exe
1520	powershell.exe
3492	powershell.exe
660	powershell.exe
1132	powershell.exe
1196	powershell.exe
1928	powershell.exe
3492	powershell.exe
4580	RuntimeBroker.exe
4580	RuntimeBroker.exe
368	RuntimeBroker.exe
4840	RuntimeBroker.exe
4592	RuntimeBroker.exe
4796	RuntimeBroker.exe
5060	RuntimeBroker.exe
3288	RuntimeBroker.exe
3028	RuntimeBroker.exe
4116	RuntimeBroker.exe
5004	RuntimeBroker.exe
2760	RuntimeBroker.exe
3340	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	DllCommonsvc.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeIncreaseQuotaPrivilege	760	powershell.exe
Token: SeSecurityPrivilege	760	powershell.exe
Token: SeTakeOwnershipPrivilege	760	powershell.exe
Token: SeLoadDriverPrivilege	760	powershell.exe
Token: SeSystemProfilePrivilege	760	powershell.exe
Token: SeSystemtimePrivilege	760	powershell.exe
Token: SeProfSingleProcessPrivilege	760	powershell.exe
Token: SeIncBasePriorityPrivilege	760	powershell.exe
Token: SeCreatePagefilePrivilege	760	powershell.exe
Token: SeBackupPrivilege	760	powershell.exe
Token: SeRestorePrivilege	760	powershell.exe
Token: SeShutdownPrivilege	760	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeSystemEnvironmentPrivilege	760	powershell.exe
Token: SeRemoteShutdownPrivilege	760	powershell.exe
Token: SeUndockPrivilege	760	powershell.exe
Token: SeManageVolumePrivilege	760	powershell.exe
Token: 33	760	powershell.exe
Token: 34	760	powershell.exe
Token: 35	760	powershell.exe
Token: 36	760	powershell.exe
Token: SeIncreaseQuotaPrivilege	1520	powershell.exe
Token: SeSecurityPrivilege	1520	powershell.exe
Token: SeTakeOwnershipPrivilege	1520	powershell.exe
Token: SeLoadDriverPrivilege	1520	powershell.exe
Token: SeSystemProfilePrivilege	1520	powershell.exe
Token: SeSystemtimePrivilege	1520	powershell.exe
Token: SeProfSingleProcessPrivilege	1520	powershell.exe
Token: SeIncBasePriorityPrivilege	1520	powershell.exe
Token: SeCreatePagefilePrivilege	1520	powershell.exe
Token: SeBackupPrivilege	1520	powershell.exe
Token: SeRestorePrivilege	1520	powershell.exe
Token: SeShutdownPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeSystemEnvironmentPrivilege	1520	powershell.exe
Token: SeRemoteShutdownPrivilege	1520	powershell.exe
Token: SeUndockPrivilege	1520	powershell.exe
Token: SeManageVolumePrivilege	1520	powershell.exe
Token: 33	1520	powershell.exe
Token: 34	1520	powershell.exe
Token: 35	1520	powershell.exe
Token: 36	1520	powershell.exe
Token: SeIncreaseQuotaPrivilege	1088	powershell.exe
Token: SeSecurityPrivilege	1088	powershell.exe
Token: SeTakeOwnershipPrivilege	1088	powershell.exe
Token: SeLoadDriverPrivilege	1088	powershell.exe
Token: SeSystemProfilePrivilege	1088	powershell.exe
Token: SeSystemtimePrivilege	1088	powershell.exe
Token: SeProfSingleProcessPrivilege	1088	powershell.exe
Token: SeIncBasePriorityPrivilege	1088	powershell.exe
Token: SeCreatePagefilePrivilege	1088	powershell.exe
Token: SeBackupPrivilege	1088	powershell.exe
Token: SeRestorePrivilege	1088	powershell.exe
Token: SeShutdownPrivilege	1088	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 4252	3812	320964491c052392f40ff227f83a556095a2162408e223ea1a83643da4cabff1.exe	66
PID 3812 wrote to memory of 4252	3812	320964491c052392f40ff227f83a556095a2162408e223ea1a83643da4cabff1.exe	66
PID 3812 wrote to memory of 4252	3812	320964491c052392f40ff227f83a556095a2162408e223ea1a83643da4cabff1.exe	66
PID 4252 wrote to memory of 4240	4252	WScript.exe	67
PID 4252 wrote to memory of 4240	4252	WScript.exe	67
PID 4252 wrote to memory of 4240	4252	WScript.exe	67
PID 4240 wrote to memory of 1356	4240	cmd.exe	69
PID 4240 wrote to memory of 1356	4240	cmd.exe	69
PID 1356 wrote to memory of 1132	1356	DllCommonsvc.exe	95
PID 1356 wrote to memory of 1132	1356	DllCommonsvc.exe	95
PID 1356 wrote to memory of 760	1356	DllCommonsvc.exe	110
PID 1356 wrote to memory of 760	1356	DllCommonsvc.exe	110
PID 1356 wrote to memory of 660	1356	DllCommonsvc.exe	109
PID 1356 wrote to memory of 660	1356	DllCommonsvc.exe	109
PID 1356 wrote to memory of 1428	1356	DllCommonsvc.exe	98
PID 1356 wrote to memory of 1428	1356	DllCommonsvc.exe	98
PID 1356 wrote to memory of 1928	1356	DllCommonsvc.exe	99
PID 1356 wrote to memory of 1928	1356	DllCommonsvc.exe	99
PID 1356 wrote to memory of 1196	1356	DllCommonsvc.exe	100
PID 1356 wrote to memory of 1196	1356	DllCommonsvc.exe	100
PID 1356 wrote to memory of 1088	1356	DllCommonsvc.exe	105
PID 1356 wrote to memory of 1088	1356	DllCommonsvc.exe	105
PID 1356 wrote to memory of 1520	1356	DllCommonsvc.exe	101
PID 1356 wrote to memory of 1520	1356	DllCommonsvc.exe	101
PID 1356 wrote to memory of 3492	1356	DllCommonsvc.exe	102
PID 1356 wrote to memory of 3492	1356	DllCommonsvc.exe	102
PID 1356 wrote to memory of 3816	1356	DllCommonsvc.exe	113
PID 1356 wrote to memory of 3816	1356	DllCommonsvc.exe	113
PID 3816 wrote to memory of 4736	3816	cmd.exe	115
PID 3816 wrote to memory of 4736	3816	cmd.exe	115
PID 3816 wrote to memory of 4580	3816	cmd.exe	117
PID 3816 wrote to memory of 4580	3816	cmd.exe	117
PID 4580 wrote to memory of 2236	4580	RuntimeBroker.exe	118
PID 4580 wrote to memory of 2236	4580	RuntimeBroker.exe	118
PID 2236 wrote to memory of 924	2236	cmd.exe	120
PID 2236 wrote to memory of 924	2236	cmd.exe	120
PID 2236 wrote to memory of 368	2236	cmd.exe	121
PID 2236 wrote to memory of 368	2236	cmd.exe	121
PID 368 wrote to memory of 3920	368	RuntimeBroker.exe	122
PID 368 wrote to memory of 3920	368	RuntimeBroker.exe	122
PID 3920 wrote to memory of 3516	3920	cmd.exe	124
PID 3920 wrote to memory of 3516	3920	cmd.exe	124
PID 3920 wrote to memory of 4840	3920	cmd.exe	125
PID 3920 wrote to memory of 4840	3920	cmd.exe	125
PID 4840 wrote to memory of 1692	4840	RuntimeBroker.exe	126
PID 4840 wrote to memory of 1692	4840	RuntimeBroker.exe	126
PID 1692 wrote to memory of 4572	1692	cmd.exe	128
PID 1692 wrote to memory of 4572	1692	cmd.exe	128
PID 1692 wrote to memory of 4592	1692	cmd.exe	129
PID 1692 wrote to memory of 4592	1692	cmd.exe	129
PID 4592 wrote to memory of 4884	4592	RuntimeBroker.exe	130
PID 4592 wrote to memory of 4884	4592	RuntimeBroker.exe	130
PID 4884 wrote to memory of 3896	4884	cmd.exe	132
PID 4884 wrote to memory of 3896	4884	cmd.exe	132
PID 4884 wrote to memory of 4796	4884	cmd.exe	133
PID 4884 wrote to memory of 4796	4884	cmd.exe	133
PID 4796 wrote to memory of 3460	4796	RuntimeBroker.exe	134
PID 4796 wrote to memory of 3460	4796	RuntimeBroker.exe	134
PID 3460 wrote to memory of 2324	3460	cmd.exe	136
PID 3460 wrote to memory of 2324	3460	cmd.exe	136
PID 3460 wrote to memory of 5060	3460	cmd.exe	137
PID 3460 wrote to memory of 5060	3460	cmd.exe	137
PID 5060 wrote to memory of 208	5060	RuntimeBroker.exe	138
PID 5060 wrote to memory of 208	5060	RuntimeBroker.exe	138

C:\Users\Admin\AppData\Local\Temp\320964491c052392f40ff227f83a556095a2162408e223ea1a83643da4cabff1.exe
"C:\Users\Admin\AppData\Local\Temp\320964491c052392f40ff227f83a556095a2162408e223ea1a83643da4cabff1.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\znO1lvPXh0.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3816
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4736
      - C:\providercommon\RuntimeBroker.exe
        
        "C:\providercommon\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:924
        
        C:\providercommon\RuntimeBroker.exe
        
        "C:\providercommon\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3516
        
        C:\providercommon\RuntimeBroker.exe
        
        "C:\providercommon\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\unLkZH0FaU.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4572
        
        C:\providercommon\RuntimeBroker.exe
        
        "C:\providercommon\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3896
        
        C:\providercommon\RuntimeBroker.exe
        
        "C:\providercommon\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2324
        
        C:\providercommon\RuntimeBroker.exe
        
        "C:\providercommon\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"
        17⤵
        
        PID:208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4844
        
        C:\providercommon\RuntimeBroker.exe
        
        "C:\providercommon\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"
        19⤵
        
        PID:3484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1088
        
        C:\providercommon\RuntimeBroker.exe
        
        "C:\providercommon\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"
        21⤵
        
        PID:1104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3580
        
        C:\providercommon\RuntimeBroker.exe
        
        "C:\providercommon\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat"
        23⤵
        
        PID:1836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4868
        
        C:\providercommon\RuntimeBroker.exe
        
        "C:\providercommon\RuntimeBroker.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"
        25⤵
        
        PID:3144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4548
        
        C:\providercommon\RuntimeBroker.exe
        
        "C:\providercommon\RuntimeBroker.exe"
        26⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat"
        27⤵
        
        PID:1096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1868
        
        C:\providercommon\RuntimeBroker.exe
        
        "C:\providercommon\RuntimeBroker.exe"
        28⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"
        29⤵
        
        PID:4648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\providercommon\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
27d73d86cce709d2ff44b379b8bf53fc

SHA1
a2962677b63e9ddc6a2bfeccce8de427fc970355

SHA256
f4c87a2941bc59aa8fb07c6b02e1630ba296ffaa89c9f517fa6ce6f6645b9606

SHA512
81e966f2c7ccae45ef3374ff0b6998207d7b589c778e389c02f6339d076b0c5f7f6924e77c8ac11f864d837b5dc18480c60470801f45facf981a301478d2b6ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
27d73d86cce709d2ff44b379b8bf53fc

SHA1
a2962677b63e9ddc6a2bfeccce8de427fc970355

SHA256
f4c87a2941bc59aa8fb07c6b02e1630ba296ffaa89c9f517fa6ce6f6645b9606

SHA512
81e966f2c7ccae45ef3374ff0b6998207d7b589c778e389c02f6339d076b0c5f7f6924e77c8ac11f864d837b5dc18480c60470801f45facf981a301478d2b6ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
406be8269a4f64cea519a5ab41214543

SHA1
b25e39aa4f8dd2d19a0df12dccdc14dca8ec433f

SHA256
4fb4b7d9d9a1257bd4e85dc660401dfc950c4023d509076a6c72bb8259a478cc

SHA512
1fb65f345327aec118977dc51b295f6d24a342f22d3f431f8dde7a801ac11a0fccf6f5a66ab8c387e632500e44d4793ed5a6778942cde4574a6a4d4ee24d1550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
89fcd330d83ec75c3f8a35a09a1efee5

SHA1
444199382a6d16959d7e22ba8f8bb32549bcd080

SHA256
a7ff4fe90f1bddc52ff8a73f34dc8d6901f35e29aa1a7cb8b2af67025e3448de

SHA512
08d448e4772ec9357783965c2b5a253361dd580d02eebddcf00c7ceb86f7a3c5f3ba93e3cf4a3515256a049438873247691840f2877de0e30941e8c309ba98b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63d29eca310355fb22ad3612f2a0cb9d

SHA1
2a176993ed9afe0b635521f7d06160ba4dbb5bfa

SHA256
8b3b04a5580e79f577d17507a59b65835f889f8615e5aa17c1318d5c26d528f9

SHA512
07bd4097415754a6a021f2655b623e577fe3516933d3733c9ef2bb4d402a8cc6093aae0386ab565f56f2c7372b6441781e894cb6e6a6a374d5e9bd18f7f4017c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d82ed57b2a597f360a3e5faf17cadc92

SHA1
5219ea62fa66029a69c849007e1df6478db8d964

SHA256
2708563b7a1cc9792c2161c0a4e9b5f8265790ebf2c14e7ae52830051f44d7ae

SHA512
294a5e71a883def9ed0a569635f2bc3b410312a1b360be9bdef29447613945e0bd702bd97e179021af284a5030a53f1f090e82c3641ea0c9332d2ed3e716dbb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d82ed57b2a597f360a3e5faf17cadc92

SHA1
5219ea62fa66029a69c849007e1df6478db8d964

SHA256
2708563b7a1cc9792c2161c0a4e9b5f8265790ebf2c14e7ae52830051f44d7ae

SHA512
294a5e71a883def9ed0a569635f2bc3b410312a1b360be9bdef29447613945e0bd702bd97e179021af284a5030a53f1f090e82c3641ea0c9332d2ed3e716dbb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat

Filesize
200B

MD5
b0ca81a6585d0b8e41bb7b3e564dfb8d

SHA1
73886dd9895eb59a842047b6c360db2449b3e44a

SHA256
1ed48e4357eb7714ecca7733dd15ff48c2fc3756ebb0c38331556b00d8923e29

SHA512
5c3c9186cefd169b4e99db4bfa518d36fc3ea990664d9625d8a69696719ef785b24b297155c72fdeb06662710263972799e0fed182907127fd37cbc1830dbf0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat

Filesize
200B

MD5
11e2ce406905bb54ed80e33b1adb24f5

SHA1
c66abbbc2d89f2abeca4fc9db679ec1680a98596

SHA256
cea01352752b7b82cdb2f387cda7e21d48b9633857bbd94f13c738edb8768a22

SHA512
122a138ac5b3b158c74bd95878da647be81e6b3f3822944540da473412ba242d29eb7f5da397fcb3265f03f2da9f71620d7d6dd0821e024f2a80ec29b3aa6dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat

Filesize
200B

MD5
943c5970309bcef7a88b61ecfdff4993

SHA1
251ddbce493058055cf10553ab303456bd179542

SHA256
0ce97680b32b360204e8a660e34f2fd0d07b4df80333da6f60044305ef110ffa

SHA512
14b463e24ba5789076bac9dd8463efa190f3e0645c984853b65a271938a758a577239240f1a9701d530828e9e727270961e7c1ba1e20f2347c02dd15d528ee62

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat

Filesize
200B

MD5
8b0110ccc62200e5c31e26d263a7d8b1

SHA1
139d8e56861655a70c582e887fac10530be47e7a

SHA256
26839c65b41b632266087b0bddcbbe0017243f4c7c8df8f8008f033aca951c31

SHA512
f19e2806f53134cc6a4790b44d6d26dea46369bdfa10b13afee1d43734cf42668d47f5b0be436c913a7cb63389548be6b67f1af616a5a8aa83b9259a6fa38503

Download Submit
C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat

Filesize
200B

MD5
59f41185733696a6c24bf7bb73aff607

SHA1
e26e41f9d2738757aabe85be25c46cacc6aef317

SHA256
34d792eab45365c6e8a61b0317b5c8c54cc30cbbeb79fdf2973476ca2c21b62c

SHA512
3ba092ee5a41f6ceb8b95f5f4df64a06d1981f3ace97f804989dec26759ddf5cf3359f03b9d254e457fe53edc3f30ebdc37661d13d72413049b68053c9857446

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat

Filesize
200B

MD5
403a53b73a99ebfbaba4a043f535e79a

SHA1
301f75db23a2d6aa7405de4981f9f8399221c99a

SHA256
01276d26d6c662c1d16bbf3c43831bb146146f177b82f81590b9a2cc2e2da212

SHA512
a1f0c9f4ba5b71389e60e9deed7085c5871aded51d0d0acf656b23f25a64eb49753e463ac5530d3b228de363384dc21a108657ccfe61fc4d9b01048bd535aa18

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat

Filesize
200B

MD5
66fecb4516147c9682246e8ac09ecf5d

SHA1
dd49311b23a95b1e5bf301fd2e5944206ec5e6df

SHA256
2a9ddc5860451c7190d292b6be356ef78625ae5a4df990375bd8c88c2f1a4abb

SHA512
2903e0d7c0d24ed06f0d3f9181af2fc9a227542c884d854b833e260d62c3f622d8854df5f564f11e336a1a03935d765632d777828c4ddfbbe589048c55f2dd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat

Filesize
200B

MD5
bdc2d32393f2fdd2a9cd4faf3ffeb980

SHA1
ac6da2920d6b6e02ade123082e93c7ad0db572c6

SHA256
43da1b30776456f42deea0ecd61357def80f11cf71ad1714942212a162bd1d7d

SHA512
ffc63d21fe6a340b85ab38a6e14b04a1391ac008b2a02439460686a029ac02a02f06269d9ed11d89cd3013b6424f3e90edc2979f97f8c76db147bde53c96542c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat

Filesize
200B

MD5
a2440f74f18e420c7ffe72667d180c83

SHA1
c87bfbe756e1629abc22dd66ea5731a0d49ce4e8

SHA256
94931ccaf60e896225c1d6b30a6819f81ad9f6fa342fd472773c913e5f119b6f

SHA512
466d5fff685c13d400c9d698706c1dd2c6a98e571304843c9ffde57f4ba604857f7e2ef0998992174de2fab986aa68eb2627aa7b566facf4843d0153cbc3a9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat

Filesize
200B

MD5
8eac92902b9a81a9377d7650b98d4f00

SHA1
6febe16bea4dd630f5a89fe6a117417e3556acc7

SHA256
020fbe8d2ee21c00c41104b001577c593af39ed28c82466cbe6aa6f24b870ed0

SHA512
0d36451a4c18b0ef326eed0df477825f6cbc10deacec8d15ccacf9d5d8dc7115a817a755ca7e9dcd9b729b2595f86393cad5281356830be1d91e58aa96ec05c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat

Filesize
200B

MD5
8eac92902b9a81a9377d7650b98d4f00

SHA1
6febe16bea4dd630f5a89fe6a117417e3556acc7

SHA256
020fbe8d2ee21c00c41104b001577c593af39ed28c82466cbe6aa6f24b870ed0

SHA512
0d36451a4c18b0ef326eed0df477825f6cbc10deacec8d15ccacf9d5d8dc7115a817a755ca7e9dcd9b729b2595f86393cad5281356830be1d91e58aa96ec05c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\unLkZH0FaU.bat

Filesize
200B

MD5
27806ee3deca9b0b5419a1b6f24feedf

SHA1
49db02c32bfde7e4f00f52783131d4e9aecf306b

SHA256
c6decd71d201ba29daf3956e63166f1f2c4f577df5c74db24e0c2e1fce17dd18

SHA512
87f5e3a944662ebf2a75edaac4761bd61c25d7326fe75b7e6bec32315cb4bee14cee4763a6b3ba60986b3d5a296b250118a46cf339e7209c4c1b3f8dc94ea678

Download Submit
C:\Users\Admin\AppData\Local\Temp\znO1lvPXh0.bat

Filesize
200B

MD5
f38dabdbc53d79bca7c2f633bb303998

SHA1
9a4ab714764f071a410b56f60d2a53b71e7d6149

SHA256
4b0d4304d6936f2d842777d67ac7558dad43ba4a1c5da2f194b0ed0005174152

SHA512
dff9c57d9eaebe2e2cbfffbcf20a820b0376ebf06250bd69eabc1d234829a8da74a27549f4a0551200a747285292a4211244ece1d390ec757ec682c2794b67a8

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/368-639-0x00000000007F0000-0x0000000000802000-memory.dmp

Filesize
72KB

Download
memory/760-342-0x0000015D49730000-0x0000015D49752000-memory.dmp

Filesize
136KB

Download
memory/760-347-0x0000015D63A30000-0x0000015D63AA6000-memory.dmp

Filesize
472KB

Download
memory/1356-286-0x0000000002970000-0x000000000297C000-memory.dmp

Filesize
48KB

Download
memory/1356-285-0x0000000000F60000-0x0000000000F6C000-memory.dmp

Filesize
48KB

Download
memory/1356-284-0x0000000002980000-0x000000000298C000-memory.dmp

Filesize
48KB

Download
memory/1356-283-0x0000000000F50000-0x0000000000F62000-memory.dmp

Filesize
72KB

Download
memory/1356-282-0x00000000006F0000-0x0000000000800000-memory.dmp

Filesize
1.1MB

Download
memory/2760-689-0x0000000001370000-0x0000000001382000-memory.dmp

Filesize
72KB

Download
memory/3288-667-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download
memory/3812-160-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-134-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-178-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-117-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-118-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-119-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-121-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-179-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-177-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-122-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-174-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-124-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-176-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-175-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-172-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-173-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-171-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-165-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-169-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-168-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-170-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-167-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-166-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-164-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-163-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-162-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-157-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-161-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-116-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-125-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-158-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-159-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-126-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-156-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-127-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-155-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-154-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-128-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-153-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-130-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-129-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-131-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-152-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-132-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-133-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-151-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-150-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-149-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-148-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-135-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-147-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-146-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-144-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-136-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-145-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-143-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-142-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-141-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-140-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-139-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-138-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3812-137-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/4252-181-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/4252-182-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/4592-651-0x0000000000D50000-0x0000000000D62000-memory.dmp

Filesize
72KB

Download
memory/4840-645-0x00000000014A0000-0x00000000014B2000-memory.dmp

Filesize
72KB

Download
memory/5004-683-0x00000000012F0000-0x0000000001302000-memory.dmp

Filesize
72KB

Download