dcrat | a79d2080f508be04e2ef251c68b8642fa3287ef9eb3c77afd201eb677af72d59

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2022, 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a79d2080f508be04e2ef251c68b8642fa3287ef9eb3c77afd201eb677af72d59.exe
Size

1.3MB
MD5

c37b51715456e3d83d00ac9006d1df9a
SHA1

1075e939d17bf57497210a0b2f167a4458b865ce
SHA256

a79d2080f508be04e2ef251c68b8642fa3287ef9eb3c77afd201eb677af72d59
SHA512

fca2a40395eb2fc0dc182f1dce4deeca270d515f35354d1d04c59f306bfc261cf7b2593f911d272cae3116797a1a73b78122c541b0ad67ea5ae4bf60d2323741
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4412	schtasks.exe	25
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	4412	schtasks.exe	25

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0001000000022e6d-137.dat	dcrat
behavioral1/files/0x0001000000022e6d-138.dat	dcrat
behavioral1/memory/5084-139-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/files/0x0001000000022e6f-183.dat	dcrat
behavioral1/files/0x0001000000022e6f-184.dat	dcrat
behavioral1/files/0x0001000000022e6f-191.dat	dcrat
behavioral1/files/0x0001000000022e6f-199.dat	dcrat
behavioral1/files/0x0001000000022e6f-206.dat	dcrat
behavioral1/files/0x0001000000022e6f-213.dat	dcrat
behavioral1/files/0x0001000000022e6f-220.dat	dcrat
behavioral1/files/0x0001000000022e6f-227.dat	dcrat
behavioral1/files/0x0001000000022e6f-234.dat	dcrat
behavioral1/files/0x0001000000022e6f-241.dat	dcrat

Executes dropped EXE 10 IoCs

pid	Process
5084	DllCommonsvc.exe
2520	wininit.exe
3496	wininit.exe
3224	wininit.exe
4808	wininit.exe
4704	wininit.exe
5036	wininit.exe
5088	wininit.exe
4632	wininit.exe
3452	wininit.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	a79d2080f508be04e2ef251c68b8642fa3287ef9eb3c77afd201eb677af72d59.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wininit.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\sihost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2812	schtasks.exe
2512	schtasks.exe
3492	schtasks.exe
1216	schtasks.exe
2180	schtasks.exe
2564	schtasks.exe
3720	schtasks.exe
1060	schtasks.exe
4860	schtasks.exe
1864	schtasks.exe
4144	schtasks.exe
1344	schtasks.exe
3816	schtasks.exe
4876	schtasks.exe
720	schtasks.exe
4088	schtasks.exe
4036	schtasks.exe
2864	schtasks.exe
3732	schtasks.exe
4764	schtasks.exe
2224	schtasks.exe
4992	schtasks.exe
4772	schtasks.exe
3900	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	a79d2080f508be04e2ef251c68b8642fa3287ef9eb3c77afd201eb677af72d59.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	wininit.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
5084	DllCommonsvc.exe
4224	powershell.exe
4224	powershell.exe
4732	powershell.exe
4732	powershell.exe
4732	powershell.exe
2156	powershell.exe
2156	powershell.exe
2984	powershell.exe
2984	powershell.exe
2908	powershell.exe
2908	powershell.exe
4808	powershell.exe
4808	powershell.exe
3392	powershell.exe
3392	powershell.exe
396	powershell.exe
396	powershell.exe
4776	powershell.exe
4776	powershell.exe
4808	powershell.exe
4224	powershell.exe
2984	powershell.exe
2156	powershell.exe
2908	powershell.exe
396	powershell.exe
3392	powershell.exe
4776	powershell.exe
2520	wininit.exe
3496	wininit.exe
3224	wininit.exe
4808	wininit.exe
4704	wininit.exe
5036	wininit.exe
5088	wininit.exe
4632	wininit.exe
3452	wininit.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	DllCommonsvc.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	2520	wininit.exe
Token: SeDebugPrivilege	3496	wininit.exe
Token: SeDebugPrivilege	3224	wininit.exe
Token: SeDebugPrivilege	4808	wininit.exe
Token: SeDebugPrivilege	4704	wininit.exe
Token: SeDebugPrivilege	5036	wininit.exe
Token: SeDebugPrivilege	5088	wininit.exe
Token: SeDebugPrivilege	4632	wininit.exe
Token: SeDebugPrivilege	3452	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 800	3404	a79d2080f508be04e2ef251c68b8642fa3287ef9eb3c77afd201eb677af72d59.exe	82
PID 3404 wrote to memory of 800	3404	a79d2080f508be04e2ef251c68b8642fa3287ef9eb3c77afd201eb677af72d59.exe	82
PID 3404 wrote to memory of 800	3404	a79d2080f508be04e2ef251c68b8642fa3287ef9eb3c77afd201eb677af72d59.exe	82
PID 800 wrote to memory of 912	800	WScript.exe	86
PID 800 wrote to memory of 912	800	WScript.exe	86
PID 800 wrote to memory of 912	800	WScript.exe	86
PID 912 wrote to memory of 5084	912	cmd.exe	88
PID 912 wrote to memory of 5084	912	cmd.exe	88
PID 5084 wrote to memory of 4224	5084	DllCommonsvc.exe	114
PID 5084 wrote to memory of 4224	5084	DllCommonsvc.exe	114
PID 5084 wrote to memory of 2984	5084	DllCommonsvc.exe	115
PID 5084 wrote to memory of 2984	5084	DllCommonsvc.exe	115
PID 5084 wrote to memory of 2908	5084	DllCommonsvc.exe	117
PID 5084 wrote to memory of 2908	5084	DllCommonsvc.exe	117
PID 5084 wrote to memory of 4732	5084	DllCommonsvc.exe	118
PID 5084 wrote to memory of 4732	5084	DllCommonsvc.exe	118
PID 5084 wrote to memory of 2156	5084	DllCommonsvc.exe	131
PID 5084 wrote to memory of 2156	5084	DllCommonsvc.exe	131
PID 5084 wrote to memory of 396	5084	DllCommonsvc.exe	129
PID 5084 wrote to memory of 396	5084	DllCommonsvc.exe	129
PID 5084 wrote to memory of 3392	5084	DllCommonsvc.exe	122
PID 5084 wrote to memory of 3392	5084	DllCommonsvc.exe	122
PID 5084 wrote to memory of 4808	5084	DllCommonsvc.exe	124
PID 5084 wrote to memory of 4808	5084	DllCommonsvc.exe	124
PID 5084 wrote to memory of 4776	5084	DllCommonsvc.exe	125
PID 5084 wrote to memory of 4776	5084	DllCommonsvc.exe	125
PID 5084 wrote to memory of 484	5084	DllCommonsvc.exe	132
PID 5084 wrote to memory of 484	5084	DllCommonsvc.exe	132
PID 484 wrote to memory of 432	484	cmd.exe	135
PID 484 wrote to memory of 432	484	cmd.exe	135
PID 484 wrote to memory of 2520	484	cmd.exe	137
PID 484 wrote to memory of 2520	484	cmd.exe	137
PID 2520 wrote to memory of 1020	2520	wininit.exe	139
PID 2520 wrote to memory of 1020	2520	wininit.exe	139
PID 1020 wrote to memory of 864	1020	cmd.exe	141
PID 1020 wrote to memory of 864	1020	cmd.exe	141
PID 1020 wrote to memory of 3496	1020	cmd.exe	142
PID 1020 wrote to memory of 3496	1020	cmd.exe	142
PID 3496 wrote to memory of 2396	3496	wininit.exe	143
PID 3496 wrote to memory of 2396	3496	wininit.exe	143
PID 2396 wrote to memory of 1348	2396	cmd.exe	145
PID 2396 wrote to memory of 1348	2396	cmd.exe	145
PID 2396 wrote to memory of 3224	2396	cmd.exe	146
PID 2396 wrote to memory of 3224	2396	cmd.exe	146
PID 3224 wrote to memory of 1164	3224	wininit.exe	147
PID 3224 wrote to memory of 1164	3224	wininit.exe	147
PID 1164 wrote to memory of 2796	1164	cmd.exe	149
PID 1164 wrote to memory of 2796	1164	cmd.exe	149
PID 1164 wrote to memory of 4808	1164	cmd.exe	150
PID 1164 wrote to memory of 4808	1164	cmd.exe	150
PID 4808 wrote to memory of 2616	4808	wininit.exe	151
PID 4808 wrote to memory of 2616	4808	wininit.exe	151
PID 2616 wrote to memory of 3456	2616	cmd.exe	153
PID 2616 wrote to memory of 3456	2616	cmd.exe	153
PID 2616 wrote to memory of 4704	2616	cmd.exe	154
PID 2616 wrote to memory of 4704	2616	cmd.exe	154
PID 4704 wrote to memory of 3136	4704	wininit.exe	155
PID 4704 wrote to memory of 3136	4704	wininit.exe	155
PID 3136 wrote to memory of 3644	3136	cmd.exe	157
PID 3136 wrote to memory of 3644	3136	cmd.exe	157
PID 3136 wrote to memory of 5036	3136	cmd.exe	158
PID 3136 wrote to memory of 5036	3136	cmd.exe	158
PID 5036 wrote to memory of 3392	5036	wininit.exe	159
PID 5036 wrote to memory of 3392	5036	wininit.exe	159

C:\Users\Admin\AppData\Local\Temp\a79d2080f508be04e2ef251c68b8642fa3287ef9eb3c77afd201eb677af72d59.exe
"C:\Users\Admin\AppData\Local\Temp\a79d2080f508be04e2ef251c68b8642fa3287ef9eb3c77afd201eb677af72d59.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\SppExtComObj.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\StartMenuExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gcz2NYt95O.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:484
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:432
      - C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:864
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1348
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2796
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3456
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3644
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat"
        17⤵
        
        PID:3392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:5040
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
        19⤵
        
        PID:2280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3708
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"
        21⤵
        
        PID:676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:872
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"
        23⤵
        
        PID:1708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Desktop\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Desktop\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat

Filesize
198B

MD5
4448f3e7bf196b211fc96149c90d5ddc

SHA1
35a1197e3d310b5f1cbe0f0c4b747645dd5c437f

SHA256
5c7aa639b1311fcbf3c8604ef0f6a9fd118651334aafd0a0e683baec8c15cc61

SHA512
b2cb97977c57d0490d85dae13c39828bcbcb6663e6fad1dc881598ba7d4080ece7f9583e990c1e4e6b14ee00034ececd2046ac73d4ad8d66b36502276307b9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

Filesize
198B

MD5
20b31e31389995802f96edb7d266baee

SHA1
9efb3db18443c08316f100d9a85c38951523b40c

SHA256
2a03361ae80beadc2f5469a3418f01c4017000d5b6218cca284388c3a2502b4e

SHA512
130ae571ca478b7d560168358ba2c19e94d332703113b621091261a8923016aaebba8cf9c05c1451006802040a29d3955590ad7060a65346658781effeac9ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat

Filesize
198B

MD5
1f37a67e2f78b217a83b8a1a378c9599

SHA1
46e728e9db5bccbe9dc9236f73752d155c8b4275

SHA256
14e646a1d4d5fae0b97070cd0022b708f992871681601d8d9adad8fd763ed6e3

SHA512
094291e41117eaa3449ad973e59dff7af6238b7d5473547698b1d506bc5dc7aea4cfea2b3c9b7845c60024176d2798196174747dd2c3261c2360a02684e7d024

Download Submit
C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat

Filesize
198B

MD5
a72899aa8f1ecce598ce1b9d3367f10c

SHA1
4b9736bb08b0cce2691ba1a0abcf48d787dbe746

SHA256
73ed4433c666f6b876f63367ce72fcd5fd5833c5bdc24bfe38bc70f1ed255788

SHA512
f13d020bbbd97f492daf7a18b646301beb0082ec6ad767d78484a132a02193c433c69af87472702fb2773a9d37956749861387a6154b321ad7caccc59c81e25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

Filesize
198B

MD5
ac743a398314e0da8b003cc6b59c74f3

SHA1
23205aa0eb692453238650bfe1b7f1a1e16c0a48

SHA256
7b0b9ef939f0da4a5cd7603cab5af875a5246adc0631aeabde24c93b68614803

SHA512
c63b30fc413faccbd47c33da8e3d1e74a012e9ff8696c71d35c9357b53c4904e5405e8ba3790f1ed5523f1ae0b05b25f1ebe53a952750243fce7c7db0c394ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

Filesize
198B

MD5
ac743a398314e0da8b003cc6b59c74f3

SHA1
23205aa0eb692453238650bfe1b7f1a1e16c0a48

SHA256
7b0b9ef939f0da4a5cd7603cab5af875a5246adc0631aeabde24c93b68614803

SHA512
c63b30fc413faccbd47c33da8e3d1e74a012e9ff8696c71d35c9357b53c4904e5405e8ba3790f1ed5523f1ae0b05b25f1ebe53a952750243fce7c7db0c394ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat

Filesize
198B

MD5
a73287f2d5da78d06b0e1a9356b6c22b

SHA1
2050428f80d70fe8d3bec19c3d6a0d646cdaef4b

SHA256
1a37f60c0b24906669041e50c6ffd2f679f761589baf25beb171dca0e180d910

SHA512
f58dbba4643d6fb433f722bc52b2effa1195e0ef9b0ecbea3d66b0117112866c09c074a607d5dbf019affd927fe979d2fc6397704e21264b55f440226d5dffaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcz2NYt95O.bat

Filesize
198B

MD5
4561720430f027bcdff2b2e5fcd0d50d

SHA1
5d0427dd74af9f933b042aef5066c68b99d033b4

SHA256
6a9c3f0f8c1a0007235cb56c7059af3d59a2c4fa938a42a858a674c160988fea

SHA512
f885ebca8c1f1b4f32125aa6ec1b0b165040c90d2d01a6a5d07faccb27c2adca3ffb20b76ac66f9294316118f7e72de9cc637ec36dbc40fb8274da8b03088ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat

Filesize
198B

MD5
9042644c2232a28201fd9675de4e86c9

SHA1
e29d8f3d10ad56269bae35bd432467e6404ebd1e

SHA256
15734ddf65e44edcf6fa28ed59f1f01bd8ca60b52a9065ff956c2d4bbc7b4982

SHA512
e93f381a55da9e3f699b4069adcfbb1b040a6e9c08783840692dafd11f21c1e68dfd779e3e04b60aad5e7726ffa3bce64b558563ccc2f31ad3a11ab2ee73ea7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat

Filesize
198B

MD5
e2ba8d42171d5ad93c51702bb0b530e9

SHA1
9e055d9633b0a119ece9e857dd9dbaa1c7686e85

SHA256
76bb9ac525a36763bb2896a4ea7afbe13a50b8a34a5cc87457028e645d77e66b

SHA512
ac49ac5f36fbc12febe7b05d41e4ab6a2f2f902ed49efcde33d88885e328c7ac51c293aec3543d3b1bfa35c98af47dba6f97704fcbe620d82fefb26fb46aef90

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/396-179-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/396-158-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/2156-175-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/2156-157-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/2520-189-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/2520-185-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/2908-177-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/2908-155-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/2984-169-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/2984-153-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/3224-200-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/3224-204-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/3392-180-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/3392-161-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/3452-246-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/3452-242-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/3496-197-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/3496-193-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/4224-152-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/4224-172-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/4224-150-0x0000012379FD0000-0x0000012379FF2000-memory.dmp

Filesize
136KB

Download
memory/4632-239-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/4632-235-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/4704-218-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/4704-214-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/4732-156-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/4732-164-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-163-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-181-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-207-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-171-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-159-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-211-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/5036-225-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/5036-221-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/5084-154-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/5084-140-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/5084-139-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/5088-228-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download
memory/5088-232-0x00007FF8F8820000-0x00007FF8F92E1000-memory.dmp

Filesize
10.8MB

Download