dcrat | a9ca1844cdf08049b0a4ed12983bac339a5c97d7f5f81d8d64374e7cd7566d7f

Analysis

max time kernel
151s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2022, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9ca1844cdf08049b0a4ed12983bac339a5c97d7f5f81d8d64374e7cd7566d7f.exe
Size

1.3MB
MD5

d183a2f5ee9f397cdebeb9791d90f690
SHA1

5839a191e68776daaf0a4c2318432a139498fe0f
SHA256

a9ca1844cdf08049b0a4ed12983bac339a5c97d7f5f81d8d64374e7cd7566d7f
SHA512

166470915d43fcbfb7c38667cf83358ef254c460f8b667b8beda939f62c04054742c3f5d44f1fa72e9b1185ea928bf6d2ca5d5298bff963ef6ca910d1c16f3cb
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	4796	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	4796	schtasks.exe	71

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000022f58-137.dat	dcrat
behavioral1/files/0x0006000000022f58-138.dat	dcrat
behavioral1/memory/3184-139-0x0000000000600000-0x0000000000710000-memory.dmp	dcrat
behavioral1/files/0x0006000000022f83-159.dat	dcrat
behavioral1/files/0x0006000000022f83-158.dat	dcrat
behavioral1/files/0x0006000000022f83-204.dat	dcrat
behavioral1/files/0x0006000000022f83-212.dat	dcrat
behavioral1/files/0x0006000000022f83-219.dat	dcrat
behavioral1/files/0x0006000000022f83-226.dat	dcrat
behavioral1/files/0x0006000000022f83-233.dat	dcrat
behavioral1/files/0x0006000000022f83-240.dat	dcrat
behavioral1/files/0x0006000000022f83-247.dat	dcrat
behavioral1/files/0x0006000000022f83-254.dat	dcrat

Executes dropped EXE 10 IoCs

pid	Process
3184	DllCommonsvc.exe
3568	wininit.exe
3052	wininit.exe
4688	wininit.exe
4160	wininit.exe
1932	wininit.exe
536	wininit.exe
3180	wininit.exe
2052	wininit.exe
2004	wininit.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	a9ca1844cdf08049b0a4ed12983bac339a5c97d7f5f81d8d64374e7cd7566d7f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wininit.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\System.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\taskhostw.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3568	schtasks.exe
1972	schtasks.exe
1048	schtasks.exe
448	schtasks.exe
948	schtasks.exe
3752	schtasks.exe
4984	schtasks.exe
2268	schtasks.exe
4428	schtasks.exe
3212	schtasks.exe
3060	schtasks.exe
1908	schtasks.exe
2900	schtasks.exe
4172	schtasks.exe
4784	schtasks.exe
3484	schtasks.exe
4876	schtasks.exe
4476	schtasks.exe
1012	schtasks.exe
3640	schtasks.exe
4900	schtasks.exe
3168	schtasks.exe
2188	schtasks.exe
1564	schtasks.exe
3048	schtasks.exe
2756	schtasks.exe
4800	schtasks.exe
2052	schtasks.exe
3152	schtasks.exe
4504	schtasks.exe
4820	schtasks.exe
1508	schtasks.exe
4412	schtasks.exe
4780	schtasks.exe
4348	schtasks.exe
2808	schtasks.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	a9ca1844cdf08049b0a4ed12983bac339a5c97d7f5f81d8d64374e7cd7566d7f.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	wininit.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
3184	DllCommonsvc.exe
3184	DllCommonsvc.exe
3184	DllCommonsvc.exe
3184	DllCommonsvc.exe
3184	DllCommonsvc.exe
1072	powershell.exe
1072	powershell.exe
3052	powershell.exe
3052	powershell.exe
4772	powershell.exe
4772	powershell.exe
3764	powershell.exe
3764	powershell.exe
4160	powershell.exe
4160	powershell.exe
3224	powershell.exe
3224	powershell.exe
1820	powershell.exe
1820	powershell.exe
800	powershell.exe
800	powershell.exe
4748	powershell.exe
4748	powershell.exe
1096	powershell.exe
1096	powershell.exe
1960	powershell.exe
1960	powershell.exe
800	powershell.exe
3644	powershell.exe
3644	powershell.exe
1112	powershell.exe
1112	powershell.exe
3568	wininit.exe
3568	wininit.exe
3052	powershell.exe
3052	powershell.exe
1072	powershell.exe
1072	powershell.exe
1820	powershell.exe
1820	powershell.exe
3764	powershell.exe
3764	powershell.exe
4772	powershell.exe
4772	powershell.exe
4160	powershell.exe
4160	powershell.exe
3224	powershell.exe
3224	powershell.exe
4748	powershell.exe
3644	powershell.exe
1960	powershell.exe
1096	powershell.exe
1112	powershell.exe
3052	wininit.exe
4688	wininit.exe
4160	wininit.exe
1932	wininit.exe
536	wininit.exe
3180	wininit.exe
2052	wininit.exe
2004	wininit.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3184	DllCommonsvc.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	3568	wininit.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	3052	wininit.exe
Token: SeDebugPrivilege	4688	wininit.exe
Token: SeDebugPrivilege	4160	wininit.exe
Token: SeDebugPrivilege	1932	wininit.exe
Token: SeDebugPrivilege	536	wininit.exe
Token: SeDebugPrivilege	3180	wininit.exe
Token: SeDebugPrivilege	2052	wininit.exe
Token: SeDebugPrivilege	2004	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 3888	1768	a9ca1844cdf08049b0a4ed12983bac339a5c97d7f5f81d8d64374e7cd7566d7f.exe	79
PID 1768 wrote to memory of 3888	1768	a9ca1844cdf08049b0a4ed12983bac339a5c97d7f5f81d8d64374e7cd7566d7f.exe	79
PID 1768 wrote to memory of 3888	1768	a9ca1844cdf08049b0a4ed12983bac339a5c97d7f5f81d8d64374e7cd7566d7f.exe	79
PID 3888 wrote to memory of 2336	3888	WScript.exe	83
PID 3888 wrote to memory of 2336	3888	WScript.exe	83
PID 3888 wrote to memory of 2336	3888	WScript.exe	83
PID 2336 wrote to memory of 3184	2336	cmd.exe	85
PID 2336 wrote to memory of 3184	2336	cmd.exe	85
PID 3184 wrote to memory of 3224	3184	DllCommonsvc.exe	123
PID 3184 wrote to memory of 3224	3184	DllCommonsvc.exe	123
PID 3184 wrote to memory of 1072	3184	DllCommonsvc.exe	124
PID 3184 wrote to memory of 1072	3184	DllCommonsvc.exe	124
PID 3184 wrote to memory of 3052	3184	DllCommonsvc.exe	139
PID 3184 wrote to memory of 3052	3184	DllCommonsvc.exe	139
PID 3184 wrote to memory of 3764	3184	DllCommonsvc.exe	126
PID 3184 wrote to memory of 3764	3184	DllCommonsvc.exe	126
PID 3184 wrote to memory of 1820	3184	DllCommonsvc.exe	138
PID 3184 wrote to memory of 1820	3184	DllCommonsvc.exe	138
PID 3184 wrote to memory of 4772	3184	DllCommonsvc.exe	137
PID 3184 wrote to memory of 4772	3184	DllCommonsvc.exe	137
PID 3184 wrote to memory of 4160	3184	DllCommonsvc.exe	130
PID 3184 wrote to memory of 4160	3184	DllCommonsvc.exe	130
PID 3184 wrote to memory of 800	3184	DllCommonsvc.exe	131
PID 3184 wrote to memory of 800	3184	DllCommonsvc.exe	131
PID 3184 wrote to memory of 4748	3184	DllCommonsvc.exe	132
PID 3184 wrote to memory of 4748	3184	DllCommonsvc.exe	132
PID 3184 wrote to memory of 1960	3184	DllCommonsvc.exe	141
PID 3184 wrote to memory of 1960	3184	DllCommonsvc.exe	141
PID 3184 wrote to memory of 1096	3184	DllCommonsvc.exe	142
PID 3184 wrote to memory of 1096	3184	DllCommonsvc.exe	142
PID 3184 wrote to memory of 3644	3184	DllCommonsvc.exe	143
PID 3184 wrote to memory of 3644	3184	DllCommonsvc.exe	143
PID 3184 wrote to memory of 1112	3184	DllCommonsvc.exe	146
PID 3184 wrote to memory of 1112	3184	DllCommonsvc.exe	146
PID 3184 wrote to memory of 3568	3184	DllCommonsvc.exe	149
PID 3184 wrote to memory of 3568	3184	DllCommonsvc.exe	149
PID 3568 wrote to memory of 3952	3568	wininit.exe	153
PID 3568 wrote to memory of 3952	3568	wininit.exe	153
PID 3952 wrote to memory of 3216	3952	cmd.exe	155
PID 3952 wrote to memory of 3216	3952	cmd.exe	155
PID 3952 wrote to memory of 3052	3952	cmd.exe	156
PID 3952 wrote to memory of 3052	3952	cmd.exe	156
PID 3052 wrote to memory of 3956	3052	wininit.exe	157
PID 3052 wrote to memory of 3956	3052	wininit.exe	157
PID 3956 wrote to memory of 1500	3956	cmd.exe	159
PID 3956 wrote to memory of 1500	3956	cmd.exe	159
PID 3956 wrote to memory of 4688	3956	cmd.exe	160
PID 3956 wrote to memory of 4688	3956	cmd.exe	160
PID 4688 wrote to memory of 1636	4688	wininit.exe	161
PID 4688 wrote to memory of 1636	4688	wininit.exe	161
PID 1636 wrote to memory of 3152	1636	cmd.exe	163
PID 1636 wrote to memory of 3152	1636	cmd.exe	163
PID 1636 wrote to memory of 4160	1636	cmd.exe	164
PID 1636 wrote to memory of 4160	1636	cmd.exe	164
PID 4160 wrote to memory of 1884	4160	wininit.exe	165
PID 4160 wrote to memory of 1884	4160	wininit.exe	165
PID 1884 wrote to memory of 4952	1884	cmd.exe	167
PID 1884 wrote to memory of 4952	1884	cmd.exe	167
PID 1884 wrote to memory of 1932	1884	cmd.exe	168
PID 1884 wrote to memory of 1932	1884	cmd.exe	168
PID 1932 wrote to memory of 3520	1932	wininit.exe	169
PID 1932 wrote to memory of 3520	1932	wininit.exe	169
PID 3520 wrote to memory of 680	3520	cmd.exe	171
PID 3520 wrote to memory of 680	3520	cmd.exe	171

C:\Users\Admin\AppData\Local\Temp\a9ca1844cdf08049b0a4ed12983bac339a5c97d7f5f81d8d64374e7cd7566d7f.exe
"C:\Users\Admin\AppData\Local\Temp\a9ca1844cdf08049b0a4ed12983bac339a5c97d7f5f81d8d64374e7cd7566d7f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Pictures\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
    - - C:\Users\Default\Application Data\wininit.exe
        
        "C:\Users\Default\Application Data\wininit.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3568
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3216
        
        C:\Users\Default\Application Data\wininit.exe
        
        "C:\Users\Default\Application Data\wininit.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1500
        
        C:\Users\Default\Application Data\wininit.exe
        
        "C:\Users\Default\Application Data\wininit.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3152
        
        C:\Users\Default\Application Data\wininit.exe
        
        "C:\Users\Default\Application Data\wininit.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4952
        
        C:\Users\Default\Application Data\wininit.exe
        
        "C:\Users\Default\Application Data\wininit.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:680
        
        C:\Users\Default\Application Data\wininit.exe
        
        "C:\Users\Default\Application Data\wininit.exe"
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
        16⤵
        
        PID:3748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1988
        
        C:\Users\Default\Application Data\wininit.exe
        
        "C:\Users\Default\Application Data\wininit.exe"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"
        18⤵
        
        PID:772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4944
        
        C:\Users\Default\Application Data\wininit.exe
        
        "C:\Users\Default\Application Data\wininit.exe"
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
        20⤵
        
        PID:3320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:5080
        
        C:\Users\Default\Application Data\wininit.exe
        
        "C:\Users\Default\Application Data\wininit.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Favorites\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Favorites\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Pictures\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Pictures\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Application Data\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Application Data\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Application Data\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
293a5e452e148112857e22e746feff34

SHA1
7a5018bf98a3e38970809531288a7e3efb979532

SHA256
05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

SHA512
7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
293a5e452e148112857e22e746feff34

SHA1
7a5018bf98a3e38970809531288a7e3efb979532

SHA256
05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

SHA512
7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
293a5e452e148112857e22e746feff34

SHA1
7a5018bf98a3e38970809531288a7e3efb979532

SHA256
05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

SHA512
7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
293a5e452e148112857e22e746feff34

SHA1
7a5018bf98a3e38970809531288a7e3efb979532

SHA256
05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

SHA512
7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat

Filesize
210B

MD5
bb0b791a759e48af2b80ae0f07a5e728

SHA1
c785f78a2516c1aa77045c1ccf90629049f40468

SHA256
83068ac9139e9ba9e84464c76add39dbd1a336fec89cebc298448bd6766685be

SHA512
1b13ea4f6ce450b7ab732d48543e8d51d9c67429bf7fd232b88c7d86d3f98118d8b3faf60fc98ace8c510f0a25f54ca954928442d9dcb4171475a579a5150ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat

Filesize
210B

MD5
ce4d9a726bda8e123ead6c7b5dd23a39

SHA1
c8abbc9e425078970f90287cdc6b7e472de1ec33

SHA256
035d19728bf14f920cfd8f54673d9a517440c64abb7eb1edf4a3e3934f7c231c

SHA512
bcce647b4c98a300930d765694913f5d54545bdead7005cb180d9deff2bcf8e6dbd55e299655565bc79aabbfa8ab980af4c1bccfe24077ac953a4fa54d550778

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat

Filesize
210B

MD5
59648dceb0eb6d69b28c300329e04999

SHA1
f6df0212e9fa80cbaf0c6fa319bb56f9d8e4f4dd

SHA256
f05e1d406c73666def26963500c2c43f08761855fbb74b36e3aa05e32b806b09

SHA512
28761ecd4fcbcfd948697e22fa3c1547c3679035c678921c9313f9828dc088ce98abfb246073bb5941e4f8ae0e65009e50e523ef78f00e34e6127c631ca63662

Download Submit
C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat

Filesize
210B

MD5
20ea929a12fd50f3d6762d910fa16241

SHA1
05aef29b185d3b95af3a8ec401b99784f1650370

SHA256
9e78d554783dd4cdb8acb30084d5fe4a3bfb37200185eb421b0252e6d2856343

SHA512
009e5914ba401be3b20a0b902e5fa519ae1a44cd47e972a53fd437543bdf6739cd0fe172fc3baaa89962600826eb03c3e7865e69475f53668c7f3c1dcccf6b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat

Filesize
210B

MD5
20ea929a12fd50f3d6762d910fa16241

SHA1
05aef29b185d3b95af3a8ec401b99784f1650370

SHA256
9e78d554783dd4cdb8acb30084d5fe4a3bfb37200185eb421b0252e6d2856343

SHA512
009e5914ba401be3b20a0b902e5fa519ae1a44cd47e972a53fd437543bdf6739cd0fe172fc3baaa89962600826eb03c3e7865e69475f53668c7f3c1dcccf6b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat

Filesize
210B

MD5
a6989d8be14062cfad65bd21fef12a84

SHA1
bcb09dd1ee05febed49664bb3d544829db6a2696

SHA256
fcb51a54b9f03cfb6065c22d7b50fd195d936c729b55994eb70e81791d9a160f

SHA512
dec204b35ceb64371f86b46fdc2b177882ec3c44f32cfe42cc443a7ac00b83a4333b1195231bf1ce3f44f17a6c3fc28780266897171a0f6b80e32d1ac814ba8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat

Filesize
210B

MD5
f5ed09d0f4517f21b1e753ff55bf2502

SHA1
062418a03d65f3730a19ffd5ab1542ed7a6d2d4c

SHA256
fc98d61aec60b6aa943430499033890ad266b177f5502253f054f312a50e9db1

SHA512
3af62407da0ef6cc6db290a9cba47fb100feb13b003157d04422c44c1f9fd5d53566a44f2e217209adea9f2ded4c583c18d51223bccb5d16b8251512fe2bb4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

Filesize
210B

MD5
32794a05b7fac8aaf71ccdf15f533621

SHA1
4b26239bc89a56b4997c022aa581255efe2ebef7

SHA256
93e248fa63af79a1ca0e86bcbf2a55799a24a8272e5fbfd74d4efb44080bd3b9

SHA512
88db8346721def60e07812cc4220ef27a27daa8d651967d7a6b97c64c0bdcd804452f374fbd36ede0a22c0a164a80a940eeeae1afc3299a06d02e2ade459c6e9

Download Submit
C:\Users\Default\AppData\Roaming\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\AppData\Roaming\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\AppData\Roaming\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\AppData\Roaming\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\AppData\Roaming\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\AppData\Roaming\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\AppData\Roaming\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\AppData\Roaming\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\AppData\Roaming\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Application Data\wininit.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/536-234-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/536-238-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/800-173-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/800-166-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/1072-179-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/1072-155-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/1096-171-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/1096-194-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/1112-196-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/1112-170-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/1820-180-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/1820-162-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/1932-227-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/1932-231-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/1960-192-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/1960-168-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/2004-255-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/2052-248-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/2052-252-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/3052-176-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/3052-206-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/3052-157-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/3052-154-0x0000022EE9F80000-0x0000022EE9FA2000-memory.dmp

Filesize
136KB

Download
memory/3052-210-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/3180-241-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/3180-245-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/3184-140-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/3184-139-0x0000000000600000-0x0000000000710000-memory.dmp

Filesize
1.1MB

Download
memory/3184-161-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/3224-188-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/3224-165-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/3568-200-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/3568-172-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/3644-198-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/3644-169-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/3764-186-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/3764-160-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/4160-164-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/4160-220-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/4160-224-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/4160-187-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/4688-217-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/4688-213-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/4748-190-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/4748-167-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/4772-185-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download
memory/4772-163-0x00007FFDDFE70000-0x00007FFDE0931000-memory.dmp

Filesize
10.8MB

Download