Overview

overview

10

Static

static

10

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-02-2023 09:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    418bd27906d38ba3fd04866c8ca6531d210814e17d8d6360ee72a5c171104bae.exe

  • Size

    1.3MB

  • MD5

    6d61deb69dc902c98c4eeb5f74063b95

  • SHA1

    28ee589e503f22e79852972a7d3f9e986d74a3d7

  • SHA256

    418bd27906d38ba3fd04866c8ca6531d210814e17d8d6360ee72a5c171104bae

  • SHA512

    2fadb51511dd3ecce6c4ba77341d90f4af789122240741f869af6a325ec0c326e8053fe9897369eb1427395abbc31b1c23f8c9f4a0123b53c5dc1c39d8d76c64

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\418bd27906d38ba3fd04866c8ca6531d210814e17d8d6360ee72a5c171104bae.exe
    "C:\Users\Admin\AppData\Local\Temp\418bd27906d38ba3fd04866c8ca6531d210814e17d8d6360ee72a5c171104bae.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:68
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:512
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2176
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Reader\winlogon.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2044
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:588
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\RuntimeBroker.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1716
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2388
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:304
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:308
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\Idle.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\explorer.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2184
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\taskhostw.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3920
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\explorer.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3048
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\winlogon.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4636
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1848
          • C:\odt\spoolsv.exe
            "C:\odt\spoolsv.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1808
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4304
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4308
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3948
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2148
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3160
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3168
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4244
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4948
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4936
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\odt\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4848
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4976
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4448
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2824
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3864
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4452
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4032
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4456
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4444
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4520
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\addins\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4336
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4552
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4404
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4408
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4316
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:652
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:656
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:776
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3148
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\en-US\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2020
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\taskhostw.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4540
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:60
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:912
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1272
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1144
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:820
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\odt\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1588
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1080

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    ad5cd538ca58cb28ede39c108acb5785

    SHA1

    1ae910026f3dbe90ed025e9e96ead2b5399be877

    SHA256

    c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

    SHA512

    c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    0d4853196fed787513a6a8a36109c909

    SHA1

    b0f80985a8287e014cdbcc0fa030d9bc4455e69c

    SHA256

    08615d8ccd8eb0b37eda2df4474c7fe8f3118b8f0d1f42853a715c6eddb7b807

    SHA512

    92854067cee19567619ead6da29623fd4b19489e92dccf9db52aa7bf1ca7f3ab43bc5371c387e5137d4737c5960552eecace4d1f2f0747c3c44195e5cbd0a538

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    0d4853196fed787513a6a8a36109c909

    SHA1

    b0f80985a8287e014cdbcc0fa030d9bc4455e69c

    SHA256

    08615d8ccd8eb0b37eda2df4474c7fe8f3118b8f0d1f42853a715c6eddb7b807

    SHA512

    92854067cee19567619ead6da29623fd4b19489e92dccf9db52aa7bf1ca7f3ab43bc5371c387e5137d4737c5960552eecace4d1f2f0747c3c44195e5cbd0a538

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    843d838fcb921d6bd87530b9d0df9bbf

    SHA1

    d312647b62004d55c2dfc49694b4f1ab18b9011f

    SHA256

    4c06de98c2a07b75ac8d3ead2b7d6f49e5728f85fb81bbae96811764fbffc6dc

    SHA512

    063331e346b624ce776ac6e135a6abeb52916edf5e4bc17ef613b2c6bc4903661d0f0151f8fe0f061c5ef2c0012d59482057fb17119eae4cc2a3808fa9cf9317

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    843d838fcb921d6bd87530b9d0df9bbf

    SHA1

    d312647b62004d55c2dfc49694b4f1ab18b9011f

    SHA256

    4c06de98c2a07b75ac8d3ead2b7d6f49e5728f85fb81bbae96811764fbffc6dc

    SHA512

    063331e346b624ce776ac6e135a6abeb52916edf5e4bc17ef613b2c6bc4903661d0f0151f8fe0f061c5ef2c0012d59482057fb17119eae4cc2a3808fa9cf9317

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    da8d2714fbb724ccf2b08ef2735eac57

    SHA1

    91d2caec7c34b7878afd2ebd3ac660819eb402b2

    SHA256

    27d5765915d6bfdc20004a86fe64f67a5d03a1ad72e379e32fefd45bed645dbe

    SHA512

    7e2ebdd6afd8a0c6a155a987d0821501be003e296b87e3a2afb65b80394bf5c13e0cad509b97259cfb66facc3d24f716e6b5e9177ede2f5d92a5a8923222f2cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    b8a43911fe2a0c6eda02fdb4372639de

    SHA1

    8fd7da7762ce95f3d981ad25f5180b5196d83270

    SHA256

    1f463438973bcbe14baffee0e586af35bbf5e7af205c02690b60df1a7d157233

    SHA512

    e11fb221dbeb4f6304c90a8f2a49b066d6b27c1149760b8fed6c4f4672b4e5cb1adf327dcb8809fcf347b5535c8332cfbd9e170c2170e1c4c07c5d148058a068

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    b8a43911fe2a0c6eda02fdb4372639de

    SHA1

    8fd7da7762ce95f3d981ad25f5180b5196d83270

    SHA256

    1f463438973bcbe14baffee0e586af35bbf5e7af205c02690b60df1a7d157233

    SHA512

    e11fb221dbeb4f6304c90a8f2a49b066d6b27c1149760b8fed6c4f4672b4e5cb1adf327dcb8809fcf347b5535c8332cfbd9e170c2170e1c4c07c5d148058a068

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    c39a7d16f8026672b82fee054f95f256

    SHA1

    8bdb4973fedec17cc5039c9c68cd94bb90da7cec

    SHA256

    cba4fc46ff461d45076b6689869f6d4ea49aeee30b371b5ad102321b4ba82768

    SHA512

    d4e9b8f079b5586e45bd1d405cabb417ecf30b370f776b163497934369c891f61c33b6e897b8b1f6e18bf446fd8158ed7d562e68fb17619484b2db1a9f2802c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    f339b77a3b878c01876f94b274043619

    SHA1

    a57d965f23f8b1a0c21c833a84c83f40eeb32aba

    SHA256

    9f93d519dd11fcb6f62f80db8e97d4b6add9faed084bb2e59afcac036f6b969e

    SHA512

    b1476efa840368f279354e0b60ca77c3dca314cbcbff0099eee0ae37136ff5061b8d5fb6e3e06ad005e60e88b1dbc88e07fea336052307a9e95e748cbd5b30fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    f339b77a3b878c01876f94b274043619

    SHA1

    a57d965f23f8b1a0c21c833a84c83f40eeb32aba

    SHA256

    9f93d519dd11fcb6f62f80db8e97d4b6add9faed084bb2e59afcac036f6b969e

    SHA512

    b1476efa840368f279354e0b60ca77c3dca314cbcbff0099eee0ae37136ff5061b8d5fb6e3e06ad005e60e88b1dbc88e07fea336052307a9e95e748cbd5b30fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d4305a6b9ba310009c0756058efb5729

    SHA1

    b816a35e1068426c98d745f6d299cfb0407b3d25

    SHA256

    ff4c50c9263436955ae97fcf430e0eef451f0a7a1d69f489732cded40afb58f1

    SHA512

    972d4f085fb4765d047abaa8ed39ce45356faee9cf6223a8bc12cf85d50a9a03880fb47a7cf70f68718b66aae0a9cb315abcbb2386cd18de119173b4426e8695

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d4305a6b9ba310009c0756058efb5729

    SHA1

    b816a35e1068426c98d745f6d299cfb0407b3d25

    SHA256

    ff4c50c9263436955ae97fcf430e0eef451f0a7a1d69f489732cded40afb58f1

    SHA512

    972d4f085fb4765d047abaa8ed39ce45356faee9cf6223a8bc12cf85d50a9a03880fb47a7cf70f68718b66aae0a9cb315abcbb2386cd18de119173b4426e8695

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    4342863069d40a090243c2180ffd432f

    SHA1

    ec1a14f2adb1c8bcd5bb16bdb7bf7587ecf78a26

    SHA256

    3b6b6e71a36ca4ae717c91cbd80889e0eab18c68b99daf3c0411bd30cbd108bc

    SHA512

    5457455d2807b685711345ff28478b809ae9ba025676ab70cb6f472951d3139a4693292dbd8992e3086e698c74c1b501ad417fef73d17f16b3d091522d0c8651

    Download Submit

  • C:\odt\spoolsv.exe
    Filesize

    1.0MB

    MD5

    bd31e94b4143c4ce49c17d3af46bcad0

    SHA1

    f8c51ff3ff909531d9469d4ba1bbabae101853ff

    SHA256

    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

    SHA512

    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

    Download Submit

  • C:\odt\spoolsv.exe
    Filesize

    1.0MB

    MD5

    bd31e94b4143c4ce49c17d3af46bcad0

    SHA1

    f8c51ff3ff909531d9469d4ba1bbabae101853ff

    SHA256

    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

    SHA512

    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

    Download Submit

  • C:\providercommon\1zu9dW.bat
    Filesize

    36B

    MD5

    6783c3ee07c7d151ceac57f1f9c8bed7

    SHA1

    17468f98f95bf504cc1f83c49e49a78526b3ea03

    SHA256

    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

    SHA512

    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

    Download Submit

  • C:\providercommon\DllCommonsvc.exe
    Filesize

    1.0MB

    MD5

    bd31e94b4143c4ce49c17d3af46bcad0

    SHA1

    f8c51ff3ff909531d9469d4ba1bbabae101853ff

    SHA256

    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

    SHA512

    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

    Download Submit

  • C:\providercommon\DllCommonsvc.exe
    Filesize

    1.0MB

    MD5

    bd31e94b4143c4ce49c17d3af46bcad0

    SHA1

    f8c51ff3ff909531d9469d4ba1bbabae101853ff

    SHA256

    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

    SHA512

    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

    Download Submit

  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
    Filesize

    197B

    MD5

    8088241160261560a02c84025d107592

    SHA1

    083121f7027557570994c9fc211df61730455bb5

    SHA256

    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

    SHA512

    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

    Download Submit

  • memory/68-255-0x0000000000000000-mapping.dmp

    Download

  • memory/304-289-0x0000000000000000-mapping.dmp

    Download

  • memory/308-288-0x0000000000000000-mapping.dmp

    Download

  • memory/512-286-0x0000000000000000-mapping.dmp

    Download

  • memory/588-292-0x0000000000000000-mapping.dmp

    Download

  • memory/1716-293-0x0000000000000000-mapping.dmp

    Download

  • memory/1808-354-0x0000000000000000-mapping.dmp

    Download

  • memory/1848-308-0x0000000000000000-mapping.dmp

    Download

  • memory/2044-291-0x0000000000000000-mapping.dmp

    Download

  • memory/2176-290-0x0000000000000000-mapping.dmp

    Download

  • memory/2180-179-0x0000000000000000-mapping.dmp

    Download

  • memory/2180-181-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2180-180-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2184-297-0x0000000000000000-mapping.dmp

    Download

  • memory/2388-294-0x0000000000000000-mapping.dmp

    Download

  • memory/2656-144-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-148-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-154-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-155-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-157-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-156-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-158-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-159-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-160-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-161-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-162-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-163-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-164-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-165-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-166-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-167-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-168-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-169-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-170-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-171-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-172-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-173-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-174-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-175-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-176-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-177-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-178-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-152-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-151-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-150-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-149-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-128-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-147-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-116-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-146-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-145-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-117-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-118-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-120-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-121-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-123-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-115-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-143-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-142-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-141-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-140-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-139-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-137-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-138-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-124-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-136-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-129-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-125-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-135-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-153-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-134-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-126-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-133-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-132-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-127-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-131-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-130-0x00000000775D0000-0x000000007775E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3048-304-0x0000000000000000-mapping.dmp

    Download

  • memory/3920-301-0x0000000000000000-mapping.dmp

    Download

  • memory/4528-364-0x0000021B790D0000-0x0000021B79146000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4528-357-0x0000021B789B0000-0x0000021B789D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4528-287-0x0000000000000000-mapping.dmp

    Download

  • memory/4636-313-0x0000000000000000-mapping.dmp

    Download

  • memory/5000-285-0x00000000028C0000-0x00000000028CC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/5000-284-0x00000000028A0000-0x00000000028AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/5000-283-0x00000000028D0000-0x00000000028DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/5000-282-0x0000000002890000-0x00000000028A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5000-281-0x0000000000730000-0x0000000000840000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/5000-278-0x0000000000000000-mapping.dmp

    Download