dcrat | 8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949

Analysis

max time kernel
161s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2022, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949.exe
Size

1.3MB
MD5

208f7d8b20f6546e5dbce1a6488f58ac
SHA1

261394e4148ae7fd616be8350464c4608cc7d1e7
SHA256

8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949
SHA512

d2bb39c1647609b999d5124782e1e74e0b20aaf71f4e218f2984859cdb28383bf22e70616c1ec485b974f4d2ec9f76c0bfce7d0002fef77bd781d8b71e381fc2
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	632	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	632	schtasks.exe	32

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000022f6f-138.dat	dcrat
behavioral1/files/0x0006000000022f6f-137.dat	dcrat
behavioral1/memory/1928-139-0x0000000000CB0000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/files/0x0006000000022f84-204.dat	dcrat
behavioral1/files/0x0006000000022f84-203.dat	dcrat
behavioral1/files/0x0006000000022f84-211.dat	dcrat
behavioral1/files/0x0006000000022f84-219.dat	dcrat
behavioral1/files/0x0006000000022f84-226.dat	dcrat
behavioral1/files/0x0006000000022f84-233.dat	dcrat

Executes dropped EXE 6 IoCs

pid	Process
1928	DllCommonsvc.exe
4872	dllhost.exe
5088	dllhost.exe
3468	dllhost.exe
4500	dllhost.exe
1396	dllhost.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\38384e6a620884	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\SearchApp.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2656	schtasks.exe
1708	schtasks.exe
3216	schtasks.exe
1192	schtasks.exe
3484	schtasks.exe
2832	schtasks.exe
3120	schtasks.exe
1144	schtasks.exe
3364	schtasks.exe
480	schtasks.exe
4760	schtasks.exe
3344	schtasks.exe
3600	schtasks.exe
4844	schtasks.exe
4184	schtasks.exe
3036	schtasks.exe
644	schtasks.exe
4732	schtasks.exe
4376	schtasks.exe
3824	schtasks.exe
2448	schtasks.exe
1752	schtasks.exe
3084	schtasks.exe
2452	schtasks.exe
2268	schtasks.exe
4496	schtasks.exe
1300	schtasks.exe
3848	schtasks.exe
1472	schtasks.exe
3540	schtasks.exe
1384	schtasks.exe
4804	schtasks.exe
2932	schtasks.exe
1492	schtasks.exe
4772	schtasks.exe
3748	schtasks.exe
944	schtasks.exe
2372	schtasks.exe
1368	schtasks.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	DllCommonsvc.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
1928	DllCommonsvc.exe
1928	DllCommonsvc.exe
1928	DllCommonsvc.exe
1928	DllCommonsvc.exe
1928	DllCommonsvc.exe
1928	DllCommonsvc.exe
1928	DllCommonsvc.exe
2236	powershell.exe
2236	powershell.exe
3360	powershell.exe
3360	powershell.exe
4452	powershell.exe
4452	powershell.exe
1920	powershell.exe
1920	powershell.exe
2032	powershell.exe
2032	powershell.exe
3804	powershell.exe
3804	powershell.exe
4300	powershell.exe
4300	powershell.exe
3444	powershell.exe
3444	powershell.exe
1696	powershell.exe
1696	powershell.exe
4084	powershell.exe
4084	powershell.exe
4364	powershell.exe
4364	powershell.exe
4188	powershell.exe
4188	powershell.exe
3996	powershell.exe
3996	powershell.exe
4928	powershell.exe
4928	powershell.exe
2032	powershell.exe
2032	powershell.exe
2236	powershell.exe
2236	powershell.exe
1920	powershell.exe
1920	powershell.exe
3360	powershell.exe
3360	powershell.exe
4452	powershell.exe
4452	powershell.exe
3804	powershell.exe
4300	powershell.exe
3444	powershell.exe
1696	powershell.exe
4188	powershell.exe
3996	powershell.exe
4084	powershell.exe
4364	powershell.exe
4928	powershell.exe
4872	dllhost.exe
5088	dllhost.exe
3468	dllhost.exe
4500	dllhost.exe
1396	dllhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	DllCommonsvc.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	4872	dllhost.exe
Token: SeDebugPrivilege	5088	dllhost.exe
Token: SeDebugPrivilege	3468	dllhost.exe
Token: SeDebugPrivilege	4500	dllhost.exe
Token: SeDebugPrivilege	1396	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 4988	1336	8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949.exe	81
PID 1336 wrote to memory of 4988	1336	8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949.exe	81
PID 1336 wrote to memory of 4988	1336	8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949.exe	81
PID 4988 wrote to memory of 2616	4988	WScript.exe	84
PID 4988 wrote to memory of 2616	4988	WScript.exe	84
PID 4988 wrote to memory of 2616	4988	WScript.exe	84
PID 2616 wrote to memory of 1928	2616	cmd.exe	87
PID 2616 wrote to memory of 1928	2616	cmd.exe	87
PID 1928 wrote to memory of 3804	1928	DllCommonsvc.exe	129
PID 1928 wrote to memory of 3804	1928	DllCommonsvc.exe	129
PID 1928 wrote to memory of 2032	1928	DllCommonsvc.exe	130
PID 1928 wrote to memory of 2032	1928	DllCommonsvc.exe	130
PID 1928 wrote to memory of 1920	1928	DllCommonsvc.exe	131
PID 1928 wrote to memory of 1920	1928	DllCommonsvc.exe	131
PID 1928 wrote to memory of 4452	1928	DllCommonsvc.exe	132
PID 1928 wrote to memory of 4452	1928	DllCommonsvc.exe	132
PID 1928 wrote to memory of 2236	1928	DllCommonsvc.exe	133
PID 1928 wrote to memory of 2236	1928	DllCommonsvc.exe	133
PID 1928 wrote to memory of 3360	1928	DllCommonsvc.exe	139
PID 1928 wrote to memory of 3360	1928	DllCommonsvc.exe	139
PID 1928 wrote to memory of 1696	1928	DllCommonsvc.exe	137
PID 1928 wrote to memory of 1696	1928	DllCommonsvc.exe	137
PID 1928 wrote to memory of 4300	1928	DllCommonsvc.exe	144
PID 1928 wrote to memory of 4300	1928	DllCommonsvc.exe	144
PID 1928 wrote to memory of 3444	1928	DllCommonsvc.exe	145
PID 1928 wrote to memory of 3444	1928	DllCommonsvc.exe	145
PID 1928 wrote to memory of 4084	1928	DllCommonsvc.exe	146
PID 1928 wrote to memory of 4084	1928	DllCommonsvc.exe	146
PID 1928 wrote to memory of 4364	1928	DllCommonsvc.exe	149
PID 1928 wrote to memory of 4364	1928	DllCommonsvc.exe	149
PID 1928 wrote to memory of 4188	1928	DllCommonsvc.exe	151
PID 1928 wrote to memory of 4188	1928	DllCommonsvc.exe	151
PID 1928 wrote to memory of 3996	1928	DllCommonsvc.exe	152
PID 1928 wrote to memory of 3996	1928	DllCommonsvc.exe	152
PID 1928 wrote to memory of 4928	1928	DllCommonsvc.exe	154
PID 1928 wrote to memory of 4928	1928	DllCommonsvc.exe	154
PID 1928 wrote to memory of 4616	1928	DllCommonsvc.exe	158
PID 1928 wrote to memory of 4616	1928	DllCommonsvc.exe	158
PID 4616 wrote to memory of 1080	4616	cmd.exe	160
PID 4616 wrote to memory of 1080	4616	cmd.exe	160
PID 4616 wrote to memory of 4872	4616	cmd.exe	161
PID 4616 wrote to memory of 4872	4616	cmd.exe	161
PID 4872 wrote to memory of 5040	4872	dllhost.exe	162
PID 4872 wrote to memory of 5040	4872	dllhost.exe	162
PID 5040 wrote to memory of 3956	5040	cmd.exe	164
PID 5040 wrote to memory of 3956	5040	cmd.exe	164
PID 5040 wrote to memory of 5088	5040	cmd.exe	165
PID 5040 wrote to memory of 5088	5040	cmd.exe	165
PID 5088 wrote to memory of 3732	5088	dllhost.exe	166
PID 5088 wrote to memory of 3732	5088	dllhost.exe	166
PID 3732 wrote to memory of 3740	3732	cmd.exe	168
PID 3732 wrote to memory of 3740	3732	cmd.exe	168
PID 3732 wrote to memory of 3468	3732	cmd.exe	169
PID 3732 wrote to memory of 3468	3732	cmd.exe	169
PID 3468 wrote to memory of 4964	3468	dllhost.exe	170
PID 3468 wrote to memory of 4964	3468	dllhost.exe	170
PID 4964 wrote to memory of 456	4964	cmd.exe	172
PID 4964 wrote to memory of 456	4964	cmd.exe	172
PID 4964 wrote to memory of 4500	4964	cmd.exe	173
PID 4964 wrote to memory of 4500	4964	cmd.exe	173
PID 4500 wrote to memory of 260	4500	dllhost.exe	174
PID 4500 wrote to memory of 260	4500	dllhost.exe	174
PID 260 wrote to memory of 3084	260	cmd.exe	176
PID 260 wrote to memory of 3084	260	cmd.exe	176

C:\Users\Admin\AppData\Local\Temp\8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949.exe
"C:\Users\Admin\AppData\Local\Temp\8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchApp.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\SearchApp.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dmdigGiX9k.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4616
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1080
      - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3956
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3740
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:456
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3084
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\odt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\providercommon\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat

Filesize
248B

MD5
4260202067b97e0c0d2169790cc6a0d1

SHA1
70299d7bd2c4e4dda0953b3dae706b3573b037db

SHA256
01155ac55479db9de8405ac1c7c39da5b1a79b309178bddf74b25c0c61144432

SHA512
fc9e132ad92b543bb2653979ee52c0d00ea8f3d5f89099bbefcfee477b594747bc442689b7f4aaee6900d719946bd4e5592b2b1d7905838c1e531e5ab711d18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat

Filesize
248B

MD5
a6bbd04b528ba85ba2bc3e0bd5461aaa

SHA1
ebc6715b92b592ef3567986591eb8493991cd164

SHA256
d1cb4903cb28231421a83fb524f4512aa1758bb5babe30ab0443c348196b91c0

SHA512
e39784616ec59058e664e961692ba38ebb1bf14e6c731caffedcb11d9b783dc49e7ad84a8c3310966ecef6c8e494ba43f80923bcdad6eaadda1be115a6c446e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat

Filesize
248B

MD5
1ed429194118b7a4681a4b343c65d4e3

SHA1
592c115f87f6957bfb41a29472bf275da95ed4b7

SHA256
83e2e205edab174e1a2b1216555fff3f049b32b15f2fcc98d2502511babeb641

SHA512
a6891246ff5dd3e003da834fa35a851c22233dee69ee93c862828de427d426d809d6520005b68f55c46c3ce337df97ec72f9faecf071c76ff70a51fe11e93373

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmdigGiX9k.bat

Filesize
248B

MD5
8562d5cff15a0f482770c2098297dbda

SHA1
daac3f6de46ec086a1d0639c683ff4e13ca25f61

SHA256
ce28cc487de0cee2eeadfe64c0f1bdeae7cf5a5ca9e33bdcff0ca01f3153799d

SHA512
e752102ed773129f19c08c3dd37d845dab8b565c8ccba2e4b453675be881af9727c2ab3dcdb8ace6c9f79b0ddd3505d84bcb08cac06cb8263a4d06b430a7ca13

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat

Filesize
248B

MD5
88793c102fad152f7a80cf8640b4e6cf

SHA1
46bb68a1a9efdccbe1a9225cd3eb2a2d16b0ccae

SHA256
ed5b63e38a3df864eed45abf9c93fe5e565dbd1f5a99905ecefd28cfc7345432

SHA512
f42e474d59be2d375c76eea3049ee3f0c3749303652bd630c6ab58ae6fd6b62dab3e9671c1213dff37cbe33b6e0ebd0a47c7b2844aba5edfaaf0d79b01d8fd5c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1396-234-0x00007FFEDA1C0000-0x00007FFEDAC81000-memory.dmp

Filesize
10.8MB

Download
memory/1696-196-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/1696-166-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/1920-180-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/1920-162-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/1928-161-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/1928-140-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/1928-139-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

Filesize
1.1MB

Download
memory/2032-178-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/2032-157-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/2236-159-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/2236-183-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/2236-155-0x00000156C6AD0000-0x00000156C6AF2000-memory.dmp

Filesize
136KB

Download
memory/3360-156-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/3360-181-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/3444-192-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/3444-165-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/3468-220-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/3468-224-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/3804-187-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/3804-163-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/3996-173-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/3996-201-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/4084-167-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/4084-189-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/4188-168-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/4188-200-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/4300-164-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/4300-185-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/4364-198-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/4364-172-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/4452-160-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/4452-184-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/4500-231-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/4500-227-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/4872-205-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/4872-209-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/4928-169-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/4928-195-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/5088-217-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download
memory/5088-213-0x00007FFED9E90000-0x00007FFEDA951000-memory.dmp

Filesize
10.8MB

Download