dcrat | 58566925d97e2ab4173afb444a2440de84007947d468b9c8238d5b70ff941176

Analysis

max time kernel
133s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58566925d97e2ab4173afb444a2440de84007947d468b9c8238d5b70ff941176.exe
Size

1.3MB
MD5

8fe5984fbeaaa6e5b0f7b6b62f75f201
SHA1

45ae293f85b063724540cb24bc6f954e8ea13b91
SHA256

58566925d97e2ab4173afb444a2440de84007947d468b9c8238d5b70ff941176
SHA512

d7089a7973c9c8578cbc9d85214bf05084d52f0d09c8b28ded755ba37f3d0e3241c431c3fe356ca01a82c32bbe3a99aa348cd4015f132360f2067872f048c8ff
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	4228	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4228	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	4228	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	4228	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4228	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4228	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	4228	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4228	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	4228	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4228	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4228	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	4228	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4228	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4228	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4228	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	4228	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	4228	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	4228	schtasks.exe	70

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001ac16-281.dat	dcrat
behavioral1/files/0x000900000001ac16-282.dat	dcrat
behavioral1/memory/4592-283-0x0000000000E20000-0x0000000000F30000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac24-506.dat	dcrat
behavioral1/files/0x000600000001ac24-507.dat	dcrat

Executes dropped EXE 2 IoCs

pid	Process
4592	DllCommonsvc.exe
552	ShellExperienceHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5020	schtasks.exe
4052	schtasks.exe
4040	schtasks.exe
4748	schtasks.exe
4432	schtasks.exe
4780	schtasks.exe
4468	schtasks.exe
4648	schtasks.exe
4688	schtasks.exe
676	schtasks.exe
5060	schtasks.exe
4440	schtasks.exe
4472	schtasks.exe
4720	schtasks.exe
4000	schtasks.exe
4840	schtasks.exe
4672	schtasks.exe
624	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	58566925d97e2ab4173afb444a2440de84007947d468b9c8238d5b70ff941176.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
4592	DllCommonsvc.exe
4816	powershell.exe
4700	powershell.exe
4656	powershell.exe
4428	powershell.exe
1328	powershell.exe
3160	powershell.exe
4816	powershell.exe
4700	powershell.exe
1320	powershell.exe
4656	powershell.exe
1328	powershell.exe
1320	powershell.exe
4816	powershell.exe
4656	powershell.exe
1328	powershell.exe
4700	powershell.exe
4428	powershell.exe
3160	powershell.exe
1320	powershell.exe
4428	powershell.exe
3160	powershell.exe
552	ShellExperienceHost.exe
552	ShellExperienceHost.exe
552	ShellExperienceHost.exe
552	ShellExperienceHost.exe
552	ShellExperienceHost.exe
552	ShellExperienceHost.exe
552	ShellExperienceHost.exe
552	ShellExperienceHost.exe
552	ShellExperienceHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
552	ShellExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	DllCommonsvc.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeIncreaseQuotaPrivilege	4656	powershell.exe
Token: SeSecurityPrivilege	4656	powershell.exe
Token: SeTakeOwnershipPrivilege	4656	powershell.exe
Token: SeLoadDriverPrivilege	4656	powershell.exe
Token: SeSystemProfilePrivilege	4656	powershell.exe
Token: SeSystemtimePrivilege	4656	powershell.exe
Token: SeProfSingleProcessPrivilege	4656	powershell.exe
Token: SeIncBasePriorityPrivilege	4656	powershell.exe
Token: SeCreatePagefilePrivilege	4656	powershell.exe
Token: SeBackupPrivilege	4656	powershell.exe
Token: SeRestorePrivilege	4656	powershell.exe
Token: SeShutdownPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeSystemEnvironmentPrivilege	4656	powershell.exe
Token: SeRemoteShutdownPrivilege	4656	powershell.exe
Token: SeUndockPrivilege	4656	powershell.exe
Token: SeManageVolumePrivilege	4656	powershell.exe
Token: 33	4656	powershell.exe
Token: 34	4656	powershell.exe
Token: 35	4656	powershell.exe
Token: 36	4656	powershell.exe
Token: SeIncreaseQuotaPrivilege	1328	powershell.exe
Token: SeSecurityPrivilege	1328	powershell.exe
Token: SeTakeOwnershipPrivilege	1328	powershell.exe
Token: SeLoadDriverPrivilege	1328	powershell.exe
Token: SeSystemProfilePrivilege	1328	powershell.exe
Token: SeSystemtimePrivilege	1328	powershell.exe
Token: SeProfSingleProcessPrivilege	1328	powershell.exe
Token: SeIncBasePriorityPrivilege	1328	powershell.exe
Token: SeCreatePagefilePrivilege	1328	powershell.exe
Token: SeBackupPrivilege	1328	powershell.exe
Token: SeRestorePrivilege	1328	powershell.exe
Token: SeShutdownPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeSystemEnvironmentPrivilege	1328	powershell.exe
Token: SeRemoteShutdownPrivilege	1328	powershell.exe
Token: SeUndockPrivilege	1328	powershell.exe
Token: SeManageVolumePrivilege	1328	powershell.exe
Token: 33	1328	powershell.exe
Token: 34	1328	powershell.exe
Token: 35	1328	powershell.exe
Token: 36	1328	powershell.exe
Token: SeIncreaseQuotaPrivilege	4700	powershell.exe
Token: SeSecurityPrivilege	4700	powershell.exe
Token: SeTakeOwnershipPrivilege	4700	powershell.exe
Token: SeLoadDriverPrivilege	4700	powershell.exe
Token: SeSystemProfilePrivilege	4700	powershell.exe
Token: SeSystemtimePrivilege	4700	powershell.exe
Token: SeProfSingleProcessPrivilege	4700	powershell.exe
Token: SeIncBasePriorityPrivilege	4700	powershell.exe
Token: SeCreatePagefilePrivilege	4700	powershell.exe
Token: SeBackupPrivilege	4700	powershell.exe
Token: SeRestorePrivilege	4700	powershell.exe
Token: SeShutdownPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeSystemEnvironmentPrivilege	4700	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 3596	3520	58566925d97e2ab4173afb444a2440de84007947d468b9c8238d5b70ff941176.exe	66
PID 3520 wrote to memory of 3596	3520	58566925d97e2ab4173afb444a2440de84007947d468b9c8238d5b70ff941176.exe	66
PID 3520 wrote to memory of 3596	3520	58566925d97e2ab4173afb444a2440de84007947d468b9c8238d5b70ff941176.exe	66
PID 3596 wrote to memory of 4928	3596	WScript.exe	67
PID 3596 wrote to memory of 4928	3596	WScript.exe	67
PID 3596 wrote to memory of 4928	3596	WScript.exe	67
PID 4928 wrote to memory of 4592	4928	cmd.exe	69
PID 4928 wrote to memory of 4592	4928	cmd.exe	69
PID 4592 wrote to memory of 4700	4592	DllCommonsvc.exe	89
PID 4592 wrote to memory of 4700	4592	DllCommonsvc.exe	89
PID 4592 wrote to memory of 4816	4592	DllCommonsvc.exe	102
PID 4592 wrote to memory of 4816	4592	DllCommonsvc.exe	102
PID 4592 wrote to memory of 4656	4592	DllCommonsvc.exe	100
PID 4592 wrote to memory of 4656	4592	DllCommonsvc.exe	100
PID 4592 wrote to memory of 4428	4592	DllCommonsvc.exe	90
PID 4592 wrote to memory of 4428	4592	DllCommonsvc.exe	90
PID 4592 wrote to memory of 3160	4592	DllCommonsvc.exe	91
PID 4592 wrote to memory of 3160	4592	DllCommonsvc.exe	91
PID 4592 wrote to memory of 1320	4592	DllCommonsvc.exe	96
PID 4592 wrote to memory of 1320	4592	DllCommonsvc.exe	96
PID 4592 wrote to memory of 1328	4592	DllCommonsvc.exe	95
PID 4592 wrote to memory of 1328	4592	DllCommonsvc.exe	95
PID 4592 wrote to memory of 2248	4592	DllCommonsvc.exe	103
PID 4592 wrote to memory of 2248	4592	DllCommonsvc.exe	103
PID 2248 wrote to memory of 4384	2248	cmd.exe	105
PID 2248 wrote to memory of 4384	2248	cmd.exe	105
PID 2248 wrote to memory of 552	2248	cmd.exe	107
PID 2248 wrote to memory of 552	2248	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\58566925d97e2ab4173afb444a2440de84007947d468b9c8238d5b70ff941176.exe
"C:\Users\Admin\AppData\Local\Temp\58566925d97e2ab4173afb444a2440de84007947d468b9c8238d5b70ff941176.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hkU6o0mBA4.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4384
      - C:\odt\ShellExperienceHost.exe
        
        "C:\odt\ShellExperienceHost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\odt\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e139e79903e72825aadd1bc17a6ff3ef

SHA1
7f17046d8116c54f099649b93e2328a74de40b88

SHA256
5629c9c3211893d9b1344a318b886cf5a91f99c1106c580804aa0aa33b2cfe31

SHA512
04baea0b7e9043bd57e4c16ba77dc23342e60035379fcd2396c35c275acb1271c90eb576d1474c18bc964e03d023a1bb0f23ae50db83678ca2643caa139e9cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87d90c83121fc3408a7253eb5841399f

SHA1
8367fd2c75daf1b6dbf4501c2b068d7892962a0c

SHA256
c2dc34a546619ff3b34fcaca5e06bc3485661ce49acd3d219fa42f875bc2beb6

SHA512
7e96bb5f09338a34d9d1e773307979cb28ab10c7a6c1d585efe62d96352a1b7f5c39fc62b6e6d99fc689ffcd4a5af46da137f2730b4c6fd82d7043baeb026477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87d90c83121fc3408a7253eb5841399f

SHA1
8367fd2c75daf1b6dbf4501c2b068d7892962a0c

SHA256
c2dc34a546619ff3b34fcaca5e06bc3485661ce49acd3d219fa42f875bc2beb6

SHA512
7e96bb5f09338a34d9d1e773307979cb28ab10c7a6c1d585efe62d96352a1b7f5c39fc62b6e6d99fc689ffcd4a5af46da137f2730b4c6fd82d7043baeb026477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ea8eb4c93b171a1bd8f78c2f8d3c5f91

SHA1
c974b8f55f8e9523e09efcca15e98bbc3fdaecf9

SHA256
c28a2524ce1c2ae80134f7706c2635ebab867c3f72a765c379e52a39f6b33eaa

SHA512
842566248d47165c75a0c8a0c68a5c4a86b53dcaa847bc87e68f009a806cd985845976ae2a0268e7951f580f1cb850398a73e3c18be18d142619b23987b73878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
13c32173c79516eda8bbc710b32eaa7c

SHA1
0640d372dea5d00a696ecd5db50bb5cf3644583c

SHA256
eb551ac96885028b206d63b89555a6a3eb6a7bcd47c567e72109b4d6eae16277

SHA512
d6e5e865d4e782efcd33da4b576e4baa219fa6d001bcd4376affd3e92b4965eee3405b8bc13bb6ff128658862ac4b63f7a47dcabd876d0cf1cf4c092460ba2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkU6o0mBA4.bat

Filesize
195B

MD5
e3d96d458f679d115125731610727bd7

SHA1
a2f71a68dc8ae43c5d60dcda0bf7b4f613ed99df

SHA256
882d065dd6b2a2d30f43054f2430ae3dab8836b322660291f4009fddc45a6c69

SHA512
4abbb1d8694883acb13c18cec002b9b13098ce7e33cab03605d24329f81794617b955cc1f390eb735a6acaf5d2ae4240d682d5116329c5d44bc03e3b3860bfe7

Download Submit
C:\odt\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/3520-163-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-172-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-135-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-136-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-138-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-137-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-140-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-139-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-141-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-142-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-143-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-144-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-145-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-147-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-146-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-148-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-150-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-149-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-151-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-152-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-153-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-154-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-155-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-156-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-157-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-158-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-159-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-160-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-161-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-162-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-133-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-164-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-165-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-166-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-168-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-167-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-169-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-170-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-171-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-134-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-173-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-174-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-175-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-176-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-177-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-178-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-179-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-180-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-117-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-118-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-119-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-120-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-123-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-122-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-125-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-126-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-127-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-128-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-129-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-132-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-131-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3520-130-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3596-182-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3596-183-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4592-287-0x00000000016E0000-0x00000000016EC000-memory.dmp

Filesize
48KB

Download
memory/4592-286-0x00000000016D0000-0x00000000016DC000-memory.dmp

Filesize
48KB

Download
memory/4592-285-0x00000000016C0000-0x00000000016CC000-memory.dmp

Filesize
48KB

Download
memory/4592-284-0x00000000016B0000-0x00000000016C2000-memory.dmp

Filesize
72KB

Download
memory/4592-283-0x0000000000E20000-0x0000000000F30000-memory.dmp

Filesize
1.1MB

Download
memory/4816-330-0x00000214B3170000-0x00000214B31E6000-memory.dmp

Filesize
472KB

Download
memory/4816-324-0x00000214B2F90000-0x00000214B2FB2000-memory.dmp

Filesize
136KB

Download