dcrat | 569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb

Analysis

max time kernel
148s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
03/11/2022, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb.exe
Size

1.3MB
MD5

5bbd166f7975753b899b34b400be0341
SHA1

740309cb77eb8fee4105d520bd44f8f0171ec3fb
SHA256

569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb
SHA512

a2f85c09f878c30fb6b3e0562ff21d3a6b4f23f49b2610052fe265ee8cc5f9dc508add38406d24b41d5d852d8b9eef04eb4b742121ec916b55c10be1c607554f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	4176	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac0c-280.dat	dcrat
behavioral1/files/0x000800000001ac0c-281.dat	dcrat
behavioral1/memory/3884-282-0x0000000000C90000-0x0000000000DA0000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac2a-317.dat	dcrat
behavioral1/files/0x000600000001ac2a-316.dat	dcrat
behavioral1/files/0x000600000001ac2a-612.dat	dcrat
behavioral1/files/0x000600000001ac2a-619.dat	dcrat
behavioral1/files/0x000600000001ac2a-624.dat	dcrat
behavioral1/files/0x000600000001ac2a-630.dat	dcrat
behavioral1/files/0x000600000001ac2a-635.dat	dcrat
behavioral1/files/0x000600000001ac2a-640.dat	dcrat
behavioral1/files/0x000600000001ac2a-645.dat	dcrat
behavioral1/files/0x000600000001ac2a-650.dat	dcrat
behavioral1/files/0x000600000001ac2a-655.dat	dcrat
behavioral1/files/0x000600000001ac2a-660.dat	dcrat
behavioral1/files/0x000600000001ac2a-666.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
3884	DllCommonsvc.exe
2840	cmd.exe
980	cmd.exe
4548	cmd.exe
2272	cmd.exe
2528	cmd.exe
1040	cmd.exe
1316	cmd.exe
4764	cmd.exe
3648	cmd.exe
4560	cmd.exe
1368	cmd.exe
2836	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\56085415360792	DllCommonsvc.exe
File created	C:\Windows\Speech_OneCore\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\Speech_OneCore\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\ja-JP\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4552	schtasks.exe
3144	schtasks.exe
4652	schtasks.exe
3232	schtasks.exe
4348	schtasks.exe
4564	schtasks.exe
4336	schtasks.exe
4952	schtasks.exe
3684	schtasks.exe
5068	schtasks.exe
3228	schtasks.exe
1816	schtasks.exe
4320	schtasks.exe
5080	schtasks.exe
4344	schtasks.exe
4464	schtasks.exe
4424	schtasks.exe
3736	schtasks.exe
2804	schtasks.exe
4508	schtasks.exe
4364	schtasks.exe
4312	schtasks.exe
4640	schtasks.exe
5076	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
3884	DllCommonsvc.exe
1020	powershell.exe
420	powershell.exe
3152	powershell.exe
612	powershell.exe
1236	powershell.exe
1672	powershell.exe
1040	powershell.exe
4696	powershell.exe
3152	powershell.exe
304	powershell.exe
1040	powershell.exe
2840	cmd.exe
304	powershell.exe
1020	powershell.exe
420	powershell.exe
1236	powershell.exe
612	powershell.exe
1672	powershell.exe
4696	powershell.exe
3152	powershell.exe
1040	powershell.exe
304	powershell.exe
1020	powershell.exe
1236	powershell.exe
420	powershell.exe
612	powershell.exe
1672	powershell.exe
4696	powershell.exe
980	cmd.exe
4548	cmd.exe
2272	cmd.exe
2528	cmd.exe
1040	cmd.exe
1316	cmd.exe
4764	cmd.exe
3648	cmd.exe
4560	cmd.exe
1368	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3884	DllCommonsvc.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	420	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	2840	cmd.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeIncreaseQuotaPrivilege	1040	powershell.exe
Token: SeSecurityPrivilege	1040	powershell.exe
Token: SeTakeOwnershipPrivilege	1040	powershell.exe
Token: SeLoadDriverPrivilege	1040	powershell.exe
Token: SeSystemProfilePrivilege	1040	powershell.exe
Token: SeSystemtimePrivilege	1040	powershell.exe
Token: SeProfSingleProcessPrivilege	1040	powershell.exe
Token: SeIncBasePriorityPrivilege	1040	powershell.exe
Token: SeCreatePagefilePrivilege	1040	powershell.exe
Token: SeBackupPrivilege	1040	powershell.exe
Token: SeRestorePrivilege	1040	powershell.exe
Token: SeShutdownPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeSystemEnvironmentPrivilege	1040	powershell.exe
Token: SeRemoteShutdownPrivilege	1040	powershell.exe
Token: SeUndockPrivilege	1040	powershell.exe
Token: SeManageVolumePrivilege	1040	powershell.exe
Token: 33	1040	powershell.exe
Token: 34	1040	powershell.exe
Token: 35	1040	powershell.exe
Token: 36	1040	powershell.exe
Token: SeIncreaseQuotaPrivilege	1020	powershell.exe
Token: SeSecurityPrivilege	1020	powershell.exe
Token: SeTakeOwnershipPrivilege	1020	powershell.exe
Token: SeIncreaseQuotaPrivilege	3152	powershell.exe
Token: SeLoadDriverPrivilege	1020	powershell.exe
Token: SeSecurityPrivilege	3152	powershell.exe
Token: SeTakeOwnershipPrivilege	3152	powershell.exe
Token: SeLoadDriverPrivilege	3152	powershell.exe
Token: SeSystemProfilePrivilege	3152	powershell.exe
Token: SeSystemtimePrivilege	3152	powershell.exe
Token: SeProfSingleProcessPrivilege	3152	powershell.exe
Token: SeIncBasePriorityPrivilege	3152	powershell.exe
Token: SeCreatePagefilePrivilege	3152	powershell.exe
Token: SeBackupPrivilege	3152	powershell.exe
Token: SeSystemProfilePrivilege	1020	powershell.exe
Token: SeRestorePrivilege	3152	powershell.exe
Token: SeSystemtimePrivilege	1020	powershell.exe
Token: SeShutdownPrivilege	3152	powershell.exe
Token: SeProfSingleProcessPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: SeSystemEnvironmentPrivilege	3152	powershell.exe
Token: SeCreatePagefilePrivilege	1020	powershell.exe
Token: SeRemoteShutdownPrivilege	3152	powershell.exe
Token: SeBackupPrivilege	1020	powershell.exe
Token: SeUndockPrivilege	3152	powershell.exe
Token: SeRestorePrivilege	1020	powershell.exe
Token: SeManageVolumePrivilege	3152	powershell.exe
Token: SeShutdownPrivilege	1020	powershell.exe
Token: 33	3152	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: 34	3152	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 4892	2700	569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb.exe	66
PID 2700 wrote to memory of 4892	2700	569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb.exe	66
PID 2700 wrote to memory of 4892	2700	569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb.exe	66
PID 4892 wrote to memory of 2000	4892	WScript.exe	67
PID 4892 wrote to memory of 2000	4892	WScript.exe	67
PID 4892 wrote to memory of 2000	4892	WScript.exe	67
PID 2000 wrote to memory of 3884	2000	cmd.exe	69
PID 2000 wrote to memory of 3884	2000	cmd.exe	69
PID 3884 wrote to memory of 420	3884	DllCommonsvc.exe	95
PID 3884 wrote to memory of 420	3884	DllCommonsvc.exe	95
PID 3884 wrote to memory of 1020	3884	DllCommonsvc.exe	113
PID 3884 wrote to memory of 1020	3884	DllCommonsvc.exe	113
PID 3884 wrote to memory of 3152	3884	DllCommonsvc.exe	112
PID 3884 wrote to memory of 3152	3884	DllCommonsvc.exe	112
PID 3884 wrote to memory of 1236	3884	DllCommonsvc.exe	111
PID 3884 wrote to memory of 1236	3884	DllCommonsvc.exe	111
PID 3884 wrote to memory of 1672	3884	DllCommonsvc.exe	110
PID 3884 wrote to memory of 1672	3884	DllCommonsvc.exe	110
PID 3884 wrote to memory of 612	3884	DllCommonsvc.exe	109
PID 3884 wrote to memory of 612	3884	DllCommonsvc.exe	109
PID 3884 wrote to memory of 1040	3884	DllCommonsvc.exe	108
PID 3884 wrote to memory of 1040	3884	DllCommonsvc.exe	108
PID 3884 wrote to memory of 4696	3884	DllCommonsvc.exe	107
PID 3884 wrote to memory of 4696	3884	DllCommonsvc.exe	107
PID 3884 wrote to memory of 304	3884	DllCommonsvc.exe	102
PID 3884 wrote to memory of 304	3884	DllCommonsvc.exe	102
PID 3884 wrote to memory of 2840	3884	DllCommonsvc.exe	106
PID 3884 wrote to memory of 2840	3884	DllCommonsvc.exe	106
PID 2840 wrote to memory of 2248	2840	cmd.exe	114
PID 2840 wrote to memory of 2248	2840	cmd.exe	114
PID 2248 wrote to memory of 4304	2248	cmd.exe	116
PID 2248 wrote to memory of 4304	2248	cmd.exe	116
PID 2248 wrote to memory of 980	2248	cmd.exe	118
PID 2248 wrote to memory of 980	2248	cmd.exe	118
PID 980 wrote to memory of 3328	980	cmd.exe	119
PID 980 wrote to memory of 3328	980	cmd.exe	119
PID 3328 wrote to memory of 4464	3328	cmd.exe	121
PID 3328 wrote to memory of 4464	3328	cmd.exe	121
PID 3328 wrote to memory of 4548	3328	cmd.exe	122
PID 3328 wrote to memory of 4548	3328	cmd.exe	122
PID 4548 wrote to memory of 1932	4548	cmd.exe	123
PID 4548 wrote to memory of 1932	4548	cmd.exe	123
PID 1932 wrote to memory of 1964	1932	cmd.exe	125
PID 1932 wrote to memory of 1964	1932	cmd.exe	125
PID 1932 wrote to memory of 2272	1932	cmd.exe	126
PID 1932 wrote to memory of 2272	1932	cmd.exe	126
PID 2272 wrote to memory of 4928	2272	cmd.exe	127
PID 2272 wrote to memory of 4928	2272	cmd.exe	127
PID 4928 wrote to memory of 4968	4928	cmd.exe	129
PID 4928 wrote to memory of 4968	4928	cmd.exe	129
PID 4928 wrote to memory of 2528	4928	cmd.exe	130
PID 4928 wrote to memory of 2528	4928	cmd.exe	130
PID 2528 wrote to memory of 3496	2528	cmd.exe	131
PID 2528 wrote to memory of 3496	2528	cmd.exe	131
PID 3496 wrote to memory of 2108	3496	cmd.exe	133
PID 3496 wrote to memory of 2108	3496	cmd.exe	133
PID 3496 wrote to memory of 1040	3496	cmd.exe	134
PID 3496 wrote to memory of 1040	3496	cmd.exe	134
PID 1040 wrote to memory of 4580	1040	cmd.exe	135
PID 1040 wrote to memory of 4580	1040	cmd.exe	135
PID 4580 wrote to memory of 3516	4580	cmd.exe	137
PID 4580 wrote to memory of 3516	4580	cmd.exe	137
PID 4580 wrote to memory of 1316	4580	cmd.exe	138
PID 4580 wrote to memory of 1316	4580	cmd.exe	138

C:\Users\Admin\AppData\Local\Temp\569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb.exe
"C:\Users\Admin\AppData\Local\Temp\569b5bfdd1ce074ebf992b110e94d24d8dcba639ad39fe0ce6e031fa426d50fb.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
    - - C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OoUlhQHDc2.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4304
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4464
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1964
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4968
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2108
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3516
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"
        18⤵
        
        PID:3460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4436
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"
        20⤵
        
        PID:1216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2920
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"
        22⤵
        
        PID:4672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3768
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat"
        24⤵
        
        PID:1588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3160
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat"
        26⤵
        
        PID:4408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1232
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
        28⤵
        
        PID:4456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Cursors\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech_OneCore\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech_OneCore\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2b1e27ca4f85298e99cddb5d80f084cd

SHA1
f8f396aaeb21f0cc09b4ac27c92d231b4a0eace2

SHA256
ed56f4ef64bc9dcc2f201cfe0288a8dc367ac1db9ac62b274b0017863e416857

SHA512
d6ca3d044753efa05078dbe1ddfcf3886d259b5772ba13e450cee876cf278910d5e1d7d14e98905dca172aa037a7ccd19dbc5ff0defa3bad8eb7b45950c893c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
480f3b74eddafbf56000c696ca100768

SHA1
10739e5f8a691359077d0213ebc0cd0be34cb8c8

SHA256
25b3966731188660daa9e271c88d9517068bd4e558409204d98b2762ec3f31cb

SHA512
02a06926a4db960f31425470938e94f732ad025b2af7e61011dc4e9b03ea71ac3a08153b6d29f49c92190eb584cee6db37f1fdcd899592df4fb50133d2db0c06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dd6d1844b05e3819d050cc6605b2bd76

SHA1
720141bd33cb33bb50cba4242b21483fda5b5311

SHA256
b95a9f4f85e45ef57cd13ce7d3692e3e13d6c41ff8011277685083aa1e34c4d3

SHA512
10b59fd6a445f7179507fdd9ae9e19d55314d33bd90338caeb23554f7f050015006f4a1f348c26dd423886d691297799a17131f41663a0fface5e4785727455e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
480f3b74eddafbf56000c696ca100768

SHA1
10739e5f8a691359077d0213ebc0cd0be34cb8c8

SHA256
25b3966731188660daa9e271c88d9517068bd4e558409204d98b2762ec3f31cb

SHA512
02a06926a4db960f31425470938e94f732ad025b2af7e61011dc4e9b03ea71ac3a08153b6d29f49c92190eb584cee6db37f1fdcd899592df4fb50133d2db0c06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dd6d1844b05e3819d050cc6605b2bd76

SHA1
720141bd33cb33bb50cba4242b21483fda5b5311

SHA256
b95a9f4f85e45ef57cd13ce7d3692e3e13d6c41ff8011277685083aa1e34c4d3

SHA512
10b59fd6a445f7179507fdd9ae9e19d55314d33bd90338caeb23554f7f050015006f4a1f348c26dd423886d691297799a17131f41663a0fface5e4785727455e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dd6d1844b05e3819d050cc6605b2bd76

SHA1
720141bd33cb33bb50cba4242b21483fda5b5311

SHA256
b95a9f4f85e45ef57cd13ce7d3692e3e13d6c41ff8011277685083aa1e34c4d3

SHA512
10b59fd6a445f7179507fdd9ae9e19d55314d33bd90338caeb23554f7f050015006f4a1f348c26dd423886d691297799a17131f41663a0fface5e4785727455e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f69fb3884a96aae528b2eaa5300e0b31

SHA1
847cf6f970164f1b0d73dc05ed734f8d2aba5c91

SHA256
8343b2733ced9a5bc7e4905cb51b527e628aa2aef492e252c3dd9ad27e291bc4

SHA512
f5db27b022230324f4e208d9903623be56283cc9fa702b64aadcfc0438f1dbbfbfe041e4ee7c1cbae8946f8dd33d201c8eb17ae8ea04851e6f729d97c5820f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f69fb3884a96aae528b2eaa5300e0b31

SHA1
847cf6f970164f1b0d73dc05ed734f8d2aba5c91

SHA256
8343b2733ced9a5bc7e4905cb51b527e628aa2aef492e252c3dd9ad27e291bc4

SHA512
f5db27b022230324f4e208d9903623be56283cc9fa702b64aadcfc0438f1dbbfbfe041e4ee7c1cbae8946f8dd33d201c8eb17ae8ea04851e6f729d97c5820f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat

Filesize
194B

MD5
a317060d73bd0f1c3eca75c7388928b4

SHA1
ebd12df0bdfed61fdbfe0cfa0068c761e67ab728

SHA256
ad47dc5c8caa853f36ca56b15807efd2533ca93c47ab7a6e81fb4adcad22f0c4

SHA512
267c4e510b860598bd11fa00d1bd6d7be8ae83fd3115cb280a559b4905cec9ded27bccc75dcf728a23b855d9f397d6a8f83e7cc27e15064d4f84c75db32a798f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat

Filesize
194B

MD5
c7157d71c1dc4fcc7a79f9b82d5f6d07

SHA1
4516066ed7a59ea0ac9cc50723200ec1d46aa78a

SHA256
d02f0530c1c252f8d3ed132d8b581c364a27b3d0ab319ad897c678d14d1854b3

SHA512
19b4eb0ad76e17e334c93322ec55baa4769b4f00d67d0b4a34c2df81850cccbf6297edba98e5f4f943b28d6d17c718746be34577821e15e4ff4836ad2a233cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat

Filesize
194B

MD5
1c77683e4669cb47653658f587b1b670

SHA1
043df2e6e87ac22a580773dccc70ddd5cabc9498

SHA256
f21740c416cd96da4012aebe61e5c2d4b18ffef07396761b4ca1fbe6b34cf1f7

SHA512
74c7dc768932df3aab9f0cca6123cb8d573ced1efbbe4d4ac9589d32c1a0836e766368f6c006009dcaebc5237e8dabed74e829d0b4d8eee5e5e44934f9858e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat

Filesize
194B

MD5
7c643090a3e80e580609348fb9235f31

SHA1
22a0a070872afa43d7059a6a0955ce8ef96d5663

SHA256
6aacb935bdeb5f493ac16ebd70933b035d69a58bd9a894542484bc1e5ff984bb

SHA512
4649dc1296760cdbd8efd48487920d3f0b3b9e275cf9a6fdf8cc45f3d2a77d806953ca7c503c9def17b61368d457eb4d81aee18710303dacef0d9e288b4c51d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoUlhQHDc2.bat

Filesize
194B

MD5
7cf81fb4dd6be489ee2db25abce6eefc

SHA1
39532f1223fb19a195c5cdad945c03bde2e204fa

SHA256
da0ca947966e008c8d9a253177526d46742475bb575b794c1815fcbfafe0037e

SHA512
c5de3dfa63e5507e5739e1100881ed4a9e3bb3d19ce4ab735926b81603b5d1b1b9a8b523ced0c3b73f3ab8e469b58c41304a8ad3b4858114d38ec2dc909796ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat

Filesize
194B

MD5
0bb5147691f2b1568bb7256485e478b4

SHA1
43efcc043fb17638203ec1069023e3f0a435b5b5

SHA256
b37ab68c83fb81fe54bd1251e2c04181675a1c02d4a1704c1cb708f886f3a2fd

SHA512
d1fff80d594ecbf674fb14a507c2e575e677a7bca3f30f72c5590b9301d8d9bcd489a18af00ed077692e28b9c44e1f19465b034b5412b0a8236dd2bbda7a30e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat

Filesize
194B

MD5
0bb5147691f2b1568bb7256485e478b4

SHA1
43efcc043fb17638203ec1069023e3f0a435b5b5

SHA256
b37ab68c83fb81fe54bd1251e2c04181675a1c02d4a1704c1cb708f886f3a2fd

SHA512
d1fff80d594ecbf674fb14a507c2e575e677a7bca3f30f72c5590b9301d8d9bcd489a18af00ed077692e28b9c44e1f19465b034b5412b0a8236dd2bbda7a30e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

Filesize
194B

MD5
4088ec258a27451826a60a1532f10157

SHA1
d7fb9236783d562d5793a346c45a00922dfde58d

SHA256
511c0efafd7519fb3f8f546c8d6c68e58cbb9aff4ed2faff406c7b926f922bd5

SHA512
de583e6a88bce064ed9d6f8f68e670e975d3cc53264c60344f95d03681b7a3995952d21b10cb54f47021c53dde654d7572ed2c8f144cbe1004270006c97aeb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat

Filesize
194B

MD5
1287599e15e8392e87019a8adff872f1

SHA1
ae72c465575d2196b7a6edd2d63eb9117f6b4e0e

SHA256
ff371753ae5473982dc27de8356e45ee32412d1257c2de30613ad3cebdac5724

SHA512
741ef33f8b6197ca412503df5e6179a435f38d4d1d550bf87de803aa0c033ff202d75cf8d2b41a31a4cb2143440097590ffa49d9c28e9b28ba3459ce3bcabb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat

Filesize
194B

MD5
37191ad16e3281e9975eaf306594f654

SHA1
201ec9e85515791932d5a38f759888972d8a2bcb

SHA256
429dda4be340384706384105bec63780052fae1a448e19a5b5962c55faf91730

SHA512
078db34e5b7688275ac9bbadd84e88487b5ed0ac8b2f8e8b22e586be9fcbb08a05eb2b343b5aaf21914d97adf892da9458cf440f61120342a00ab2c91ead8568

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat

Filesize
194B

MD5
7a9907616c533b1a54389909192efcac

SHA1
1eae6f2205437584b243faeebc3069cbc805bfa5

SHA256
92b2a6257d6218eef37632631f8ddb47161d268d98602b4ac70e89f5186993e6

SHA512
e9cf5665686c7dc7efb0ac381668f926acf8af3d2c7430f4f3592047b19a93a6d5ebc90eb2b61ece004219a6ce1790f1576c754fcff2c2d1f0658c819838a6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat

Filesize
194B

MD5
a3c4f95cc4c9a24180d3046e3380f45f

SHA1
08315583807a642e02c1180383a0ec931768e2ac

SHA256
a9bb3d863639bde1b92765273186a583625152d5adf974aabdfe505391e8f658

SHA512
4e10b57c611c72d1bb0f11382ad94cceed5dcb50f111282e23a51e8cb99e3b0dd97e9d910d3c7e4844d4c76879361b733d3b16a52736ecea157cda303dc1a9c5

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/980-614-0x0000000001580000-0x0000000001592000-memory.dmp

Filesize
72KB

Download
memory/1020-335-0x000001A95C6F0000-0x000001A95C712000-memory.dmp

Filesize
136KB

Download
memory/1368-661-0x0000000001700000-0x0000000001712000-memory.dmp

Filesize
72KB

Download
memory/2272-625-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

Filesize
72KB

Download
memory/2700-152-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-169-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-179-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-117-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-178-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-177-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-118-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-138-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-119-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-121-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-122-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-124-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-176-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-175-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-125-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-174-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-173-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-172-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-126-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-171-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-142-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-146-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-149-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-153-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-148-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-127-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-155-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-157-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-128-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-160-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-170-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-137-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-168-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-167-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-166-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-165-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-164-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-163-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-162-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-161-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-159-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-158-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-150-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-156-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-129-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-130-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-154-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-131-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-132-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-133-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-151-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-147-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-145-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-134-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-144-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-135-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-116-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-143-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-136-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-141-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-140-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-139-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2840-336-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/3152-341-0x0000025F70D60000-0x0000025F70DD6000-memory.dmp

Filesize
472KB

Download
memory/3884-286-0x000000001B910000-0x000000001B91C000-memory.dmp

Filesize
48KB

Download
memory/3884-282-0x0000000000C90000-0x0000000000DA0000-memory.dmp

Filesize
1.1MB

Download
memory/3884-283-0x0000000002F00000-0x0000000002F12000-memory.dmp

Filesize
72KB

Download
memory/3884-284-0x000000001B900000-0x000000001B90C000-memory.dmp

Filesize
48KB

Download
memory/3884-285-0x000000001B8F0000-0x000000001B8FC000-memory.dmp

Filesize
48KB

Download
memory/4892-181-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4892-182-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download