dcrat | aba0766789f56e76879028dd22706412dc1ae6c1c182e514774874bf63fc8cda

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2022, 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aba0766789f56e76879028dd22706412dc1ae6c1c182e514774874bf63fc8cda.exe
Size

1.3MB
MD5

c6275fe40f6eff7b8f8d76f23c00b4ac
SHA1

9c20d2f262cbabe58f542bd49d83bbee8cc99624
SHA256

aba0766789f56e76879028dd22706412dc1ae6c1c182e514774874bf63fc8cda
SHA512

9275ddfc6e50abaad9da29870587ff418cafb4699c22b519cbd3b6412848042dac2032379df5c9e1a1369afef2dd65b35aa9ced024916d34c9551a774c0e377b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	4736	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	4736	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	4736	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	4736	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	4736	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	4736	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	4736	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	4736	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	4736	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	4736	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	4736	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	4736	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	4736	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	4736	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	4736	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	4736	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	4736	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	4736	schtasks.exe	82

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0001000000022dfe-137.dat	dcrat
behavioral1/files/0x0001000000022dfe-138.dat	dcrat
behavioral1/memory/1588-139-0x0000000000E20000-0x0000000000F30000-memory.dmp	dcrat
behavioral1/files/0x0001000000022e08-150.dat	dcrat
behavioral1/files/0x0001000000022e08-149.dat	dcrat
behavioral1/files/0x0001000000022e08-180.dat	dcrat
behavioral1/files/0x0001000000022e08-188.dat	dcrat
behavioral1/files/0x0001000000022e08-195.dat	dcrat
behavioral1/files/0x0001000000022e08-202.dat	dcrat
behavioral1/files/0x0001000000022e08-209.dat	dcrat
behavioral1/files/0x0001000000022e08-216.dat	dcrat
behavioral1/files/0x0001000000022e08-223.dat	dcrat
behavioral1/files/0x0001000000022e08-230.dat	dcrat
behavioral1/files/0x0001000000022e08-237.dat	dcrat
behavioral1/files/0x0001000000022e08-244.dat	dcrat
behavioral1/files/0x0001000000022e08-251.dat	dcrat
behavioral1/files/0x0001000000022e08-258.dat	dcrat

Executes dropped EXE 14 IoCs

pid	Process
1588	DllCommonsvc.exe
3552	cmd.exe
2400	cmd.exe
5092	cmd.exe
1584	cmd.exe
1148	cmd.exe
3180	cmd.exe
1684	cmd.exe
2248	cmd.exe
2924	cmd.exe
4072	cmd.exe
4896	cmd.exe
2072	cmd.exe
4888	cmd.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	aba0766789f56e76879028dd22706412dc1ae6c1c182e514774874bf63fc8cda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\ebf1f9fa8afd6d	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\Resources\WmiPrvSE.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4236	schtasks.exe
4792	schtasks.exe
1524	schtasks.exe
2644	schtasks.exe
2996	schtasks.exe
3876	schtasks.exe
1432	schtasks.exe
4396	schtasks.exe
756	schtasks.exe
3528	schtasks.exe
4352	schtasks.exe
636	schtasks.exe
4160	schtasks.exe
4196	schtasks.exe
4628	schtasks.exe
380	schtasks.exe
396	schtasks.exe
1440	schtasks.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	aba0766789f56e76879028dd22706412dc1ae6c1c182e514774874bf63fc8cda.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1588	DllCommonsvc.exe
1588	DllCommonsvc.exe
1588	DllCommonsvc.exe
1588	DllCommonsvc.exe
1588	DllCommonsvc.exe
1588	DllCommonsvc.exe
1588	DllCommonsvc.exe
1588	DllCommonsvc.exe
4180	powershell.exe
1512	powershell.exe
316	powershell.exe
4588	powershell.exe
1504	powershell.exe
2540	powershell.exe
312	powershell.exe
3552	cmd.exe
4180	powershell.exe
312	powershell.exe
1512	powershell.exe
316	powershell.exe
4588	powershell.exe
1504	powershell.exe
1504	powershell.exe
2540	powershell.exe
2540	powershell.exe
2400	cmd.exe
5092	cmd.exe
1584	cmd.exe
1148	cmd.exe
3180	cmd.exe
1684	cmd.exe
2248	cmd.exe
2924	cmd.exe
4072	cmd.exe
4896	cmd.exe
2072	cmd.exe
4888	cmd.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	DllCommonsvc.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	312	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	3552	cmd.exe
Token: SeDebugPrivilege	2400	cmd.exe
Token: SeDebugPrivilege	5092	cmd.exe
Token: SeDebugPrivilege	1584	cmd.exe
Token: SeDebugPrivilege	1148	cmd.exe
Token: SeDebugPrivilege	3180	cmd.exe
Token: SeDebugPrivilege	1684	cmd.exe
Token: SeDebugPrivilege	2248	cmd.exe
Token: SeDebugPrivilege	2924	cmd.exe
Token: SeDebugPrivilege	4072	cmd.exe
Token: SeDebugPrivilege	4896	cmd.exe
Token: SeDebugPrivilege	2072	cmd.exe
Token: SeDebugPrivilege	4888	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 476 wrote to memory of 4376	476	aba0766789f56e76879028dd22706412dc1ae6c1c182e514774874bf63fc8cda.exe	77
PID 476 wrote to memory of 4376	476	aba0766789f56e76879028dd22706412dc1ae6c1c182e514774874bf63fc8cda.exe	77
PID 476 wrote to memory of 4376	476	aba0766789f56e76879028dd22706412dc1ae6c1c182e514774874bf63fc8cda.exe	77
PID 4376 wrote to memory of 4964	4376	WScript.exe	83
PID 4376 wrote to memory of 4964	4376	WScript.exe	83
PID 4376 wrote to memory of 4964	4376	WScript.exe	83
PID 4964 wrote to memory of 1588	4964	cmd.exe	85
PID 4964 wrote to memory of 1588	4964	cmd.exe	85
PID 1588 wrote to memory of 312	1588	DllCommonsvc.exe	105
PID 1588 wrote to memory of 312	1588	DllCommonsvc.exe	105
PID 1588 wrote to memory of 1512	1588	DllCommonsvc.exe	106
PID 1588 wrote to memory of 1512	1588	DllCommonsvc.exe	106
PID 1588 wrote to memory of 4180	1588	DllCommonsvc.exe	107
PID 1588 wrote to memory of 4180	1588	DllCommonsvc.exe	107
PID 1588 wrote to memory of 2540	1588	DllCommonsvc.exe	109
PID 1588 wrote to memory of 2540	1588	DllCommonsvc.exe	109
PID 1588 wrote to memory of 316	1588	DllCommonsvc.exe	110
PID 1588 wrote to memory of 316	1588	DllCommonsvc.exe	110
PID 1588 wrote to memory of 1504	1588	DllCommonsvc.exe	111
PID 1588 wrote to memory of 1504	1588	DllCommonsvc.exe	111
PID 1588 wrote to memory of 4588	1588	DllCommonsvc.exe	114
PID 1588 wrote to memory of 4588	1588	DllCommonsvc.exe	114
PID 1588 wrote to memory of 3552	1588	DllCommonsvc.exe	119
PID 1588 wrote to memory of 3552	1588	DllCommonsvc.exe	119
PID 3552 wrote to memory of 3272	3552	cmd.exe	122
PID 3552 wrote to memory of 3272	3552	cmd.exe	122
PID 3272 wrote to memory of 3200	3272	cmd.exe	124
PID 3272 wrote to memory of 3200	3272	cmd.exe	124
PID 3272 wrote to memory of 2400	3272	cmd.exe	125
PID 3272 wrote to memory of 2400	3272	cmd.exe	125
PID 2400 wrote to memory of 4472	2400	cmd.exe	126
PID 2400 wrote to memory of 4472	2400	cmd.exe	126
PID 4472 wrote to memory of 3512	4472	cmd.exe	128
PID 4472 wrote to memory of 3512	4472	cmd.exe	128
PID 4472 wrote to memory of 5092	4472	cmd.exe	130
PID 4472 wrote to memory of 5092	4472	cmd.exe	130
PID 5092 wrote to memory of 2128	5092	cmd.exe	131
PID 5092 wrote to memory of 2128	5092	cmd.exe	131
PID 2128 wrote to memory of 2652	2128	cmd.exe	133
PID 2128 wrote to memory of 2652	2128	cmd.exe	133
PID 2128 wrote to memory of 1584	2128	cmd.exe	134
PID 2128 wrote to memory of 1584	2128	cmd.exe	134
PID 1584 wrote to memory of 3164	1584	cmd.exe	135
PID 1584 wrote to memory of 3164	1584	cmd.exe	135
PID 3164 wrote to memory of 1520	3164	cmd.exe	137
PID 3164 wrote to memory of 1520	3164	cmd.exe	137
PID 3164 wrote to memory of 1148	3164	cmd.exe	138
PID 3164 wrote to memory of 1148	3164	cmd.exe	138
PID 1148 wrote to memory of 4616	1148	cmd.exe	139
PID 1148 wrote to memory of 4616	1148	cmd.exe	139
PID 4616 wrote to memory of 1344	4616	cmd.exe	141
PID 4616 wrote to memory of 1344	4616	cmd.exe	141
PID 4616 wrote to memory of 3180	4616	cmd.exe	142
PID 4616 wrote to memory of 3180	4616	cmd.exe	142
PID 3180 wrote to memory of 2664	3180	cmd.exe	143
PID 3180 wrote to memory of 2664	3180	cmd.exe	143
PID 2664 wrote to memory of 392	2664	cmd.exe	145
PID 2664 wrote to memory of 392	2664	cmd.exe	145
PID 2664 wrote to memory of 1684	2664	cmd.exe	146
PID 2664 wrote to memory of 1684	2664	cmd.exe	146
PID 1684 wrote to memory of 3104	1684	cmd.exe	147
PID 1684 wrote to memory of 3104	1684	cmd.exe	147
PID 3104 wrote to memory of 3728	3104	cmd.exe	149
PID 3104 wrote to memory of 3728	3104	cmd.exe	149

C:\Users\Admin\AppData\Local\Temp\aba0766789f56e76879028dd22706412dc1ae6c1c182e514774874bf63fc8cda.exe
"C:\Users\Admin\AppData\Local\Temp\aba0766789f56e76879028dd22706412dc1ae6c1c182e514774874bf63fc8cda.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:476
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\WmiPrvSE.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
    - - C:\Program Files\Windows Mail\cmd.exe
        
        "C:\Program Files\Windows Mail\cmd.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3552
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3200
        
        C:\Program Files\Windows Mail\cmd.exe
        
        "C:\Program Files\Windows Mail\cmd.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3512
        
        C:\Program Files\Windows Mail\cmd.exe
        
        "C:\Program Files\Windows Mail\cmd.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2652
        
        C:\Program Files\Windows Mail\cmd.exe
        
        "C:\Program Files\Windows Mail\cmd.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1520
        
        C:\Program Files\Windows Mail\cmd.exe
        
        "C:\Program Files\Windows Mail\cmd.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1344
        
        C:\Program Files\Windows Mail\cmd.exe
        
        "C:\Program Files\Windows Mail\cmd.exe"
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:392
        
        C:\Program Files\Windows Mail\cmd.exe
        
        "C:\Program Files\Windows Mail\cmd.exe"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3728
        
        C:\Program Files\Windows Mail\cmd.exe
        
        "C:\Program Files\Windows Mail\cmd.exe"
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"
        20⤵
        
        PID:4132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1312
        
        C:\Program Files\Windows Mail\cmd.exe
        
        "C:\Program Files\Windows Mail\cmd.exe"
        21⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
        22⤵
        
        PID:4872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3716
        
        C:\Program Files\Windows Mail\cmd.exe
        
        "C:\Program Files\Windows Mail\cmd.exe"
        23⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat"
        24⤵
        
        PID:1480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4840
        
        C:\Program Files\Windows Mail\cmd.exe
        
        "C:\Program Files\Windows Mail\cmd.exe"
        25⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat"
        26⤵
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3432
        
        C:\Program Files\Windows Mail\cmd.exe
        
        "C:\Program Files\Windows Mail\cmd.exe"
        27⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat"
        28⤵
        
        PID:3660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2172
        
        C:\Program Files\Windows Mail\cmd.exe
        
        "C:\Program Files\Windows Mail\cmd.exe"
        29⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
        30⤵
        
        PID:4568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\providercommon\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Resources\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Mail\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Mail\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Mail\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Mail\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Mail\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Mail\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Mail\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Mail\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Mail\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Mail\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Mail\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Mail\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Mail\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Mail\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat

Filesize
202B

MD5
a164327abfb8135c7b0a75af3999e34b

SHA1
c4d6ba80f39cb3cb5c9b22c5c8fb0c67c5b33dcf

SHA256
b5331e995205a373cbaceaca564224f08d356ba0bf94ccf13d527be0c75fc305

SHA512
1c4c3c0f00cc41a0ef37edb6d4f6ca2e3917b1c7386fe29162cbf8aba6be2ceb33e97c54d6ccdc5b783f47ee70a92f577796dd02f585ef6f3ad8e533332516e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat

Filesize
202B

MD5
82a6e6c85affea121f0af80c791699b2

SHA1
ce0d0222d87627fe115a82e9635a53c3891e9458

SHA256
efaccbd7581e09b6b0e4b653bb82c85812b495c2cecdf1c43c3e14e80124e4bd

SHA512
5d874ae4215decf6fa9dd0329e7dc103ecc226e6395af3c6827fad9f2be41d3d4f194470f9c568da92aaf118d70bce3e6d533ef73c8a206c022f9bda211d06ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat

Filesize
202B

MD5
d6c99a5f35c827ff5ceefdd3f8207d10

SHA1
7a7ffcc2e566a03135e1d22fd98a5d7beedb9939

SHA256
c98866ac095859b691ed0451a1db53db74ca0f7852dcd388339cfba2d5cd84d8

SHA512
1d789832bc6d67d40671f6f438c590da42e8cc013893691fb132dbd5514e9d2b1b4b9624c204ecd135596ec0d380ec1e54ef2ccd83c89df01d6fc2f731577b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat

Filesize
202B

MD5
02f57798616a93d40152bad41467b017

SHA1
d4e42353602229cce6284cb0d9b1281c65ae9400

SHA256
3cbdf52775881083166188f2105c1e9507b33efc0f22cdc2a35ebd65b2292231

SHA512
f015c08ffe18fac987d2e0da328ded492715fad3eca0d93bb75409b882161cb56622967d6a28f00f3a755514a204b827435a29379c369ca377470080cfcd9064

Download Submit
C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat

Filesize
202B

MD5
d34665eaba5f9e3c9a4828d3a5f4dd95

SHA1
fd9987c07390d89f6b37488549d9cc42d0ce0711

SHA256
774a35d227396c5418a6692c046bcad04f0506388574a7a25f51d3f1d724521d

SHA512
0195079804ae0f942e28ad035d30b4ae4835be2a288c050be7c2e79133df0f86d0da8be1964e998368474db2a64f8736e5f14ea062fac73a045be7905f43c49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat

Filesize
202B

MD5
d34665eaba5f9e3c9a4828d3a5f4dd95

SHA1
fd9987c07390d89f6b37488549d9cc42d0ce0711

SHA256
774a35d227396c5418a6692c046bcad04f0506388574a7a25f51d3f1d724521d

SHA512
0195079804ae0f942e28ad035d30b4ae4835be2a288c050be7c2e79133df0f86d0da8be1964e998368474db2a64f8736e5f14ea062fac73a045be7905f43c49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat

Filesize
202B

MD5
17083214fa2a5345830bb0dc2636b367

SHA1
49bc7d8a2c05fa96f34689c7c09845ccc4fc7f85

SHA256
43111c37d7fea2875d7154dedbd64fc0a6fb5a84460015b432620c8b8e3c253e

SHA512
98c83cbd4151471b52bc9b840109ad6bf7bca16c76696f0e0dc9e21bc8068c855b1e6e8736f28d37f7a40cbf67d01e59f81cdf487952773b79104e00877427d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat

Filesize
202B

MD5
21f5f3d5897c42a29cecaa4d603ea58e

SHA1
c3b364288130697832b31d9366d2899a6a06f1df

SHA256
23f7cf896fd7ea1803abb2438cdfa3a2588b2082ab807e2d4be03f7d50d1c529

SHA512
264605273a33eb4dcc4ac35652501b74bac33a5240e52da0ff3947e79163d2cb7068631a68143fc9d8ddd1767eb64381445319b422fee519ebb57177a3870707

Download Submit
C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat

Filesize
202B

MD5
98a8dece07998741cee6cc5b4b8bf68b

SHA1
00e8a9a46c00d07c7ffeb9a8de6a519c80bc2708

SHA256
682b11f8b666358ad29942de2d088332ca3d75f25391fe9863a7031191c4c370

SHA512
5618aaf3fdbf597dd68f246d930b78f36ef3faccae0befd5c0066b424ed9468d738568d5f2bbec100cc07d9f046902d4d37bf966b23654afb67ebbb18e0fee06

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat

Filesize
202B

MD5
6a1d0aaadf7a4e6c6e69d45a2ce3e763

SHA1
e9926361aaa8d46e40ccf345b917f926052fc813

SHA256
a52f848cd126d7900a289f8cf794bbba4f8bee3d19d4376061de1095973f03eb

SHA512
a8cba16240d7eec71c726123e80aaa6aa4a638facaf74341f74eba7820b1c26fbfaba724f172615951a6096c87301e5872508b425667df520838a51f108f6e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat

Filesize
202B

MD5
39ed8a743bd90d90dbccdf867065dad7

SHA1
afa23009d2fa873dc8d4984987fd78c6914c3948

SHA256
fc9d244df126e02d4bac3b0300fdcccf3beb7466e3de09b1a99127a60fa82ae3

SHA512
634d1befa55208b2b91620d59e81cac9813f38aa359fa8885969e0b4a324ca8006e88554006905e73fd09a281ab833e767d56333847f1944381446f9e31d9b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat

Filesize
202B

MD5
ac2baf2d0a399302c1f2bf33155205a1

SHA1
aae6c5416ff7a16649257efc4b2fdd9410869edc

SHA256
fe992c4137f905102fcfc8e632218929e18f4bc12ec0449b6ae33cf496555598

SHA512
3e5681afc59b17c1aa0b3bcefac614409474ddd6cfd080f507ec55946232238d39bf1204092a42977827413fa3f8dad2d15ab6e8625c22c6461af81395a785fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat

Filesize
202B

MD5
ce13d335bab5432ae9c57931ba341535

SHA1
92973fa051dcd84ff84b7ecd528cfa2bfc90ee5b

SHA256
356b31efbc43b2d4959debc5d85a9d371ed606d53dc19200bb8644f62dc846ea

SHA512
086adeaef081a10defe7f71819527839262fb04dbc8f9307043c9c8617bdf4709902b48d3951c6ab3449f1130edf830ca4ff21a8c08a8a8514debcae169bf8ff

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/312-151-0x00000258D8D90000-0x00000258D8DB2000-memory.dmp

Filesize
136KB

Download
memory/312-170-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/312-153-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/316-172-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/316-156-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/1148-203-0x00007FFC470B0000-0x00007FFC47B71000-memory.dmp

Filesize
10.8MB

Download
memory/1148-207-0x00007FFC470B0000-0x00007FFC47B71000-memory.dmp

Filesize
10.8MB

Download
memory/1504-159-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/1504-177-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/1512-154-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/1512-169-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/1584-200-0x00007FFC470B0000-0x00007FFC47B71000-memory.dmp

Filesize
10.8MB

Download
memory/1584-196-0x00007FFC470B0000-0x00007FFC47B71000-memory.dmp

Filesize
10.8MB

Download
memory/1588-139-0x0000000000E20000-0x0000000000F30000-memory.dmp

Filesize
1.1MB

Download
memory/1588-140-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/1588-152-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/1684-217-0x00007FFC470B0000-0x00007FFC47B71000-memory.dmp

Filesize
10.8MB

Download
memory/1684-221-0x00007FFC470B0000-0x00007FFC47B71000-memory.dmp

Filesize
10.8MB

Download
memory/2072-256-0x00007FFC47160000-0x00007FFC47C21000-memory.dmp

Filesize
10.8MB

Download
memory/2072-252-0x00007FFC47160000-0x00007FFC47C21000-memory.dmp

Filesize
10.8MB

Download
memory/2248-224-0x00007FFC470B0000-0x00007FFC47B71000-memory.dmp

Filesize
10.8MB

Download
memory/2248-228-0x00007FFC470B0000-0x00007FFC47B71000-memory.dmp

Filesize
10.8MB

Download
memory/2400-182-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/2400-186-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/2540-175-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/2540-157-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/2924-231-0x00007FFC47160000-0x00007FFC47C21000-memory.dmp

Filesize
10.8MB

Download
memory/2924-235-0x00007FFC47160000-0x00007FFC47C21000-memory.dmp

Filesize
10.8MB

Download
memory/3180-214-0x00007FFC470B0000-0x00007FFC47B71000-memory.dmp

Filesize
10.8MB

Download
memory/3180-210-0x00007FFC470B0000-0x00007FFC47B71000-memory.dmp

Filesize
10.8MB

Download
memory/3552-160-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/3552-162-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/4072-238-0x00007FFC47160000-0x00007FFC47C21000-memory.dmp

Filesize
10.8MB

Download
memory/4072-242-0x00007FFC47160000-0x00007FFC47C21000-memory.dmp

Filesize
10.8MB

Download
memory/4180-155-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/4180-171-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/4588-178-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/4588-158-0x00007FFC474C0000-0x00007FFC47F81000-memory.dmp

Filesize
10.8MB

Download
memory/4888-259-0x00007FFC476C0000-0x00007FFC48181000-memory.dmp

Filesize
10.8MB

Download
memory/4888-263-0x00007FFC476C0000-0x00007FFC48181000-memory.dmp

Filesize
10.8MB

Download
memory/4896-245-0x00007FFC47160000-0x00007FFC47C21000-memory.dmp

Filesize
10.8MB

Download
memory/4896-249-0x00007FFC47160000-0x00007FFC47C21000-memory.dmp

Filesize
10.8MB

Download
memory/5092-189-0x00007FFC470B0000-0x00007FFC47B71000-memory.dmp

Filesize
10.8MB

Download
memory/5092-193-0x00007FFC470B0000-0x00007FFC47B71000-memory.dmp

Filesize
10.8MB

Download