dcrat | 333eab256391cecdda902d506952e1b4c83444f1ae3874e7092bcf41e62f8077

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2022 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17c93cd212fba3b61aa7c3a6ff382c23.exe
Size

2.6MB
MD5

17c93cd212fba3b61aa7c3a6ff382c23
SHA1

1f9e9f7e51dec2491210717cba4540fb15deb71e
SHA256

333eab256391cecdda902d506952e1b4c83444f1ae3874e7092bcf41e62f8077
SHA512

865001a8369a163d99496ccbcc812ff17ad655fb71821fb458ddc0fbe269ae78f3bdad7a676532aaee11bd72a697698353638b42ec0d85faa0853affe772bc73
SSDEEP

49152:IpTn80rAHkSrvT7yEBpojAGw3fo+5D0gRbfGNW8UlbSpDCP2XF:IZpktrvTOqp2Nw3L0gRbfGI8sepeu1

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	3924	schtasks.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

17c93cd212fba3b61aa7c3a6ff382c23.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/804-132-0x00000000008A0000-0x0000000000B44000-memory.dmp	dcrat

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

17c93cd212fba3b61aa7c3a6ff382c23.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	17c93cd212fba3b61aa7c3a6ff382c23.exe

Drops file in Program Files directory 21 IoCs

Processes:

17c93cd212fba3b61aa7c3a6ff382c23.exe

description	ioc	process
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCXBF9.tmp	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\SearchApp.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
File created	C:\Program Files\MSBuild\Microsoft\38384e6a620884	17c93cd212fba3b61aa7c3a6ff382c23.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\6cb0b6c459d5d3	17c93cd212fba3b61aa7c3a6ff382c23.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\0a1fd5f707cd16	17c93cd212fba3b61aa7c3a6ff382c23.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\9e8d7a4ca61bd9	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX17B8.tmp	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\RCX20E6.tmp	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\RCX32F1.tmp	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\RCX362F.tmp	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\sppsvc.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\sppsvc.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX1846.tmp	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\RCX2174.tmp	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\dwm.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
File created	C:\Program Files\MSBuild\Microsoft\SearchApp.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\csrss.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\dwm.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCXB7B.tmp	17c93cd212fba3b61aa7c3a6ff382c23.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1396 804 WerFault.exe 17c93cd212fba3b61aa7c3a6ff382c23.exe

pid	pid_target	process	target process
1396	804	WerFault.exe	17c93cd212fba3b61aa7c3a6ff382c23.exe

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
2228	schtasks.exe
3664	schtasks.exe
4640	schtasks.exe
1472	schtasks.exe
4524	schtasks.exe
4556	schtasks.exe
3976	schtasks.exe
672	schtasks.exe
5080	schtasks.exe
4812	schtasks.exe
3444	schtasks.exe
4604	schtasks.exe
5104	schtasks.exe
4296	schtasks.exe
3504	schtasks.exe
4212	schtasks.exe
2224	schtasks.exe
1396	schtasks.exe
3904	schtasks.exe
2240	schtasks.exe
3836	schtasks.exe
812	schtasks.exe
4412	schtasks.exe
4416	schtasks.exe
3696	schtasks.exe
4400	schtasks.exe
1212	schtasks.exe
396	schtasks.exe
4688	schtasks.exe
5008	schtasks.exe
2112	schtasks.exe
1944	schtasks.exe
4808	schtasks.exe
372	schtasks.exe
3872	schtasks.exe
3440	schtasks.exe
4204	schtasks.exe
4120	schtasks.exe
2700	schtasks.exe
740	schtasks.exe
4184	schtasks.exe
5084	schtasks.exe
4448	schtasks.exe
5016	schtasks.exe
4952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

17c93cd212fba3b61aa7c3a6ff382c23.exe

pid	process
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe
804	17c93cd212fba3b61aa7c3a6ff382c23.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

17c93cd212fba3b61aa7c3a6ff382c23.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	804	17c93cd212fba3b61aa7c3a6ff382c23.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

17c93cd212fba3b61aa7c3a6ff382c23.exe

description	pid	process	target process
PID 804 wrote to memory of 4860	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 4860	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 1644	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 1644	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 3188	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 3188	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 1700	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 1700	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 2672	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 2672	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 3320	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 3320	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 4396	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 4396	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 5028	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 5028	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 3040	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 3040	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 3032	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 3032	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 4584	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 4584	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 2248	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 2248	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 1552	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 1552	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 4412	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 4412	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 1912	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 1912	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 3564	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe
PID 804 wrote to memory of 3564	804	17c93cd212fba3b61aa7c3a6ff382c23.exe	powershell.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

17c93cd212fba3b61aa7c3a6ff382c23.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	17c93cd212fba3b61aa7c3a6ff382c23.exe

C:\Users\Admin\AppData\Local\Temp\17c93cd212fba3b61aa7c3a6ff382c23.exe
"C:\Users\Admin\AppData\Local\Temp\17c93cd212fba3b61aa7c3a6ff382c23.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\17c93cd212fba3b61aa7c3a6ff382c23.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\SearchApp.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\smss.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Idle.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sihost.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\dwm.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\upfc.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Registry.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchApp.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\sppsvc.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 804 -s 1120
2⤵
- Program crash
PID:1396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\backgroundTaskHost.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Videos\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\odt\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\odt\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\odt\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 804 -ip 804
1⤵
PID:2188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
memory/804-168-0x000000001E020000-0x000000001E024000-memory.dmp

Filesize
16KB

Download
memory/804-137-0x000000001E020000-0x000000001E024000-memory.dmp

Filesize
16KB

Download
memory/804-136-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/804-169-0x000000001E024000-0x000000001E027000-memory.dmp

Filesize
12KB

Download
memory/804-133-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/804-138-0x000000001E024000-0x000000001E027000-memory.dmp

Filesize
12KB

Download
memory/804-167-0x000000001B679000-0x000000001B67F000-memory.dmp

Filesize
24KB

Download
memory/804-139-0x000000001B679000-0x000000001B67F000-memory.dmp

Filesize
24KB

Download
memory/804-134-0x000000001D2B0000-0x000000001D7D8000-memory.dmp

Filesize
5.2MB

Download
memory/804-132-0x00000000008A0000-0x0000000000B44000-memory.dmp

Filesize
2.6MB

Download
memory/804-135-0x000000001B679000-0x000000001B67F000-memory.dmp

Filesize
24KB

Download
memory/804-165-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/1552-200-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/1552-172-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/1552-152-0x0000000000000000-mapping.dmp

Download
memory/1644-158-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/1644-179-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/1644-141-0x0000000000000000-mapping.dmp

Download
memory/1700-160-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/1700-143-0x0000000000000000-mapping.dmp

Download
memory/1700-190-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/1912-207-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/1912-154-0x0000000000000000-mapping.dmp

Download
memory/1912-173-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/2248-208-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/2248-151-0x0000000000000000-mapping.dmp

Download
memory/2248-171-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/2672-144-0x0000000000000000-mapping.dmp

Download
memory/2672-161-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/2672-193-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/3032-166-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/3032-149-0x0000000000000000-mapping.dmp

Download
memory/3032-188-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/3040-202-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/3040-170-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/3040-148-0x0000000000000000-mapping.dmp

Download
memory/3188-189-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/3188-142-0x0000000000000000-mapping.dmp

Download
memory/3188-159-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/3320-162-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/3320-185-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/3320-145-0x0000000000000000-mapping.dmp

Download
memory/3564-186-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/3564-174-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/3564-155-0x0000000000000000-mapping.dmp

Download
memory/4396-163-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/4396-195-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/4396-146-0x0000000000000000-mapping.dmp

Download
memory/4412-153-0x0000000000000000-mapping.dmp

Download
memory/4412-176-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/4412-206-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/4584-175-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/4584-201-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/4584-150-0x0000000000000000-mapping.dmp

Download
memory/4860-156-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/4860-187-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/4860-157-0x00000223D3CC0000-0x00000223D3CE2000-memory.dmp

Filesize
136KB

Download
memory/4860-140-0x0000000000000000-mapping.dmp

Download
memory/5028-147-0x0000000000000000-mapping.dmp

Download
memory/5028-164-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/5028-197-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download