Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2023, 09:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    81f7de865dd3d36502d9f114aa192bf57bb238dcbb25e1de54e9b6ab4ce1709e.exe

  • Size

    1.3MB

  • MD5

    1efd23d06cba06d35156834537c2e130

  • SHA1

    708bd5dde7f98b9935232aebae8ec7072ac54207

  • SHA256

    81f7de865dd3d36502d9f114aa192bf57bb238dcbb25e1de54e9b6ab4ce1709e

  • SHA512

    7b79a0f8d953be0bbb8ff25a9c4534cad900ea3a8845649af3d17e8a8a7d4d354811460dbd9fcb9d85569a7b35d10a0fc0209baafa564d599ae6f62368322db5

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81f7de865dd3d36502d9f114aa192bf57bb238dcbb25e1de54e9b6ab4ce1709e.exe
    "C:\Users\Admin\AppData\Local\Temp\81f7de865dd3d36502d9f114aa192bf57bb238dcbb25e1de54e9b6ab4ce1709e.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4852
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4736
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2356
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4196
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\SppExtComObj.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3616
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\upfc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3552
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2304
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\RuntimeBroker.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2884
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2808
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:812
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Characters\csrss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3980
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12nhm3yCQU.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2072
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1844
              • C:\providercommon\conhost.exe
                "C:\providercommon\conhost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:4748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Media\Characters\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2712
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Media\Characters\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4100
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Characters\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:588
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\odt\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1116
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2260
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\odt\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4288
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:364
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1524
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\SppExtComObj.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1844
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3140
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3332
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3144
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1576
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1368
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4260
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4892
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4352
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3452
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2196
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3832
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:220
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:344
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3172
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\WinSAT\DataStore\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3820
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4236
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2664
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4688

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      9611cc3fb39fedd4b0e81d90b044531c

      SHA1

      e35c10c1c1e29d44222114e0f72d58b3072880fd

      SHA256

      2090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec

      SHA512

      92cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      59d97011e091004eaffb9816aa0b9abd

      SHA1

      1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

      SHA256

      18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

      SHA512

      d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      59d97011e091004eaffb9816aa0b9abd

      SHA1

      1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

      SHA256

      18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

      SHA512

      d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      59d97011e091004eaffb9816aa0b9abd

      SHA1

      1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

      SHA256

      18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

      SHA512

      d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      59d97011e091004eaffb9816aa0b9abd

      SHA1

      1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

      SHA256

      18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

      SHA512

      d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      e8ce785f8ccc6d202d56fefc59764945

      SHA1

      ca032c62ddc5e0f26d84eff9895eb87f14e15960

      SHA256

      d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

      SHA512

      66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      e8ce785f8ccc6d202d56fefc59764945

      SHA1

      ca032c62ddc5e0f26d84eff9895eb87f14e15960

      SHA256

      d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

      SHA512

      66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      3a6bad9528f8e23fb5c77fbd81fa28e8

      SHA1

      f127317c3bc6407f536c0f0600dcbcf1aabfba36

      SHA256

      986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

      SHA512

      846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      3a6bad9528f8e23fb5c77fbd81fa28e8

      SHA1

      f127317c3bc6407f536c0f0600dcbcf1aabfba36

      SHA256

      986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

      SHA512

      846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      3a6bad9528f8e23fb5c77fbd81fa28e8

      SHA1

      f127317c3bc6407f536c0f0600dcbcf1aabfba36

      SHA256

      986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

      SHA512

      846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      101c3b86ef1c02c62b7d862c2a47363b

      SHA1

      3c5e8d309610e5ba41b6b9788bfb826e45864b46

      SHA256

      9174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c

      SHA512

      d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\12nhm3yCQU.bat
      Filesize

      194B

      MD5

      345e1c944f79c8e42d3627ba27f6af2a

      SHA1

      ef48acee9dfc13b741ea4437831a70949675f743

      SHA256

      4ed36cad032babc697b5817ce1aa6d6cc5608b5330f57afc780ed24e9290620b

      SHA512

      80a7da063acd0b509a02165b79f9c2a4fdeb269f9d9fdff342c328a5dc8059c5c4bd7fa8fc6520fd4f1d38032ca9bf42f8299d22b047a010d80be1111ce6f048

      Download Submit

    • C:\providercommon\1zu9dW.bat
      Filesize

      36B

      MD5

      6783c3ee07c7d151ceac57f1f9c8bed7

      SHA1

      17468f98f95bf504cc1f83c49e49a78526b3ea03

      SHA256

      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

      SHA512

      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

      Download Submit

    • C:\providercommon\DllCommonsvc.exe
      Filesize

      1.0MB

      MD5

      bd31e94b4143c4ce49c17d3af46bcad0

      SHA1

      f8c51ff3ff909531d9469d4ba1bbabae101853ff

      SHA256

      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

      SHA512

      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

      Download Submit

    • C:\providercommon\DllCommonsvc.exe
      Filesize

      1.0MB

      MD5

      bd31e94b4143c4ce49c17d3af46bcad0

      SHA1

      f8c51ff3ff909531d9469d4ba1bbabae101853ff

      SHA256

      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

      SHA512

      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

      Download Submit

    • C:\providercommon\conhost.exe
      Filesize

      1.0MB

      MD5

      bd31e94b4143c4ce49c17d3af46bcad0

      SHA1

      f8c51ff3ff909531d9469d4ba1bbabae101853ff

      SHA256

      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

      SHA512

      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

      Download Submit

    • C:\providercommon\conhost.exe
      Filesize

      1.0MB

      MD5

      bd31e94b4143c4ce49c17d3af46bcad0

      SHA1

      f8c51ff3ff909531d9469d4ba1bbabae101853ff

      SHA256

      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

      SHA512

      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

      Download Submit

    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
      Filesize

      197B

      MD5

      8088241160261560a02c84025d107592

      SHA1

      083121f7027557570994c9fc211df61730455bb5

      SHA256

      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

      SHA512

      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

      Download Submit

    • memory/664-189-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/664-164-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/812-181-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/812-161-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/908-154-0x000002196D720000-0x000002196D742000-memory.dmp

      Filesize

      136KB

      Download

    • memory/908-153-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/908-169-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2304-168-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2304-185-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2356-140-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2356-139-0x0000000000E60000-0x0000000000F70000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2356-158-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2808-191-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2808-163-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2884-170-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2884-190-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3552-193-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3552-162-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3616-173-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3616-160-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3916-184-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3916-167-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3980-155-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3980-179-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4196-180-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4196-159-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4748-197-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4748-198-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4880-157-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4880-178-0x00007FF870630000-0x00007FF8710F1000-memory.dmp

      Filesize

      10.8MB

      Download