dcrat | f8fbd979a390840c4f262b71602dc69ca3c2bd674bf4edf4f890a612ce2a8bf0

Analysis

max time kernel
147s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
31/10/2022, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8fbd979a390840c4f262b71602dc69ca3c2bd674bf4edf4f890a612ce2a8bf0.exe
Size

1.3MB
MD5

4ea52ac8c9c51292215de13dbab698ca
SHA1

3319a995681d7e3f652b21cdbb3f9e84904b6954
SHA256

f8fbd979a390840c4f262b71602dc69ca3c2bd674bf4edf4f890a612ce2a8bf0
SHA512

c2fc9e45c87a1e0a2df7bade727671fec9ce21b175c08adcd2d5bd7649ee5c70f985f85866fb34b939baa5e3d2fd3e1b043a78d139c329cbc8614e6b075d3628
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	4828	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	4828	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000a00000001abfb-284.dat	dcrat
behavioral1/files/0x000a00000001abfb-285.dat	dcrat
behavioral1/memory/3600-286-0x0000000000FA0000-0x00000000010B0000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac28-331.dat	dcrat
behavioral1/files/0x000600000001ac28-330.dat	dcrat
behavioral1/files/0x000600000001ac28-685.dat	dcrat
behavioral1/files/0x000600000001ac28-691.dat	dcrat
behavioral1/files/0x000600000001ac28-696.dat	dcrat
behavioral1/files/0x000600000001ac28-701.dat	dcrat
behavioral1/files/0x000600000001ac28-706.dat	dcrat
behavioral1/files/0x000600000001ac28-711.dat	dcrat
behavioral1/files/0x000600000001ac28-716.dat	dcrat
behavioral1/files/0x000600000001ac28-721.dat	dcrat
behavioral1/files/0x000600000001ac28-727.dat	dcrat
behavioral1/files/0x000600000001ac28-732.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
3600	DllCommonsvc.exe
4976	services.exe
2192	services.exe
4904	services.exe
2736	services.exe
4920	services.exe
4524	services.exe
4900	services.exe
4104	services.exe
4708	services.exe
4520	services.exe
2164	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\5b884080fd4f94	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
680	schtasks.exe
3964	schtasks.exe
2220	schtasks.exe
944	schtasks.exe
3756	schtasks.exe
1488	schtasks.exe
1216	schtasks.exe
5084	schtasks.exe
2136	schtasks.exe
2772	schtasks.exe
460	schtasks.exe
1972	schtasks.exe
1952	schtasks.exe
4124	schtasks.exe
4268	schtasks.exe
4132	schtasks.exe
60	schtasks.exe
1212	schtasks.exe
2852	schtasks.exe
3980	schtasks.exe
948	schtasks.exe
1860	schtasks.exe
2768	schtasks.exe
392	schtasks.exe
4060	schtasks.exe
4160	schtasks.exe
5112	schtasks.exe
712	schtasks.exe
1392	schtasks.exe
4020	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	f8fbd979a390840c4f262b71602dc69ca3c2bd674bf4edf4f890a612ce2a8bf0.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
3600	DllCommonsvc.exe
3600	DllCommonsvc.exe
3600	DllCommonsvc.exe
3600	DllCommonsvc.exe
3600	DllCommonsvc.exe
1948	powershell.exe
1768	powershell.exe
1496	powershell.exe
340	powershell.exe
220	powershell.exe
2264	powershell.exe
1864	powershell.exe
2940	powershell.exe
1500	powershell.exe
1500	powershell.exe
220	powershell.exe
220	powershell.exe
200	powershell.exe
200	powershell.exe
2292	powershell.exe
2292	powershell.exe
2264	powershell.exe
2264	powershell.exe
1864	powershell.exe
1864	powershell.exe
4976	services.exe
4976	services.exe
220	powershell.exe
1948	powershell.exe
1948	powershell.exe
1768	powershell.exe
1768	powershell.exe
1496	powershell.exe
1496	powershell.exe
340	powershell.exe
340	powershell.exe
200	powershell.exe
2292	powershell.exe
1500	powershell.exe
2940	powershell.exe
2940	powershell.exe
2264	powershell.exe
1864	powershell.exe
1948	powershell.exe
1768	powershell.exe
1496	powershell.exe
200	powershell.exe
340	powershell.exe
2292	powershell.exe
2940	powershell.exe
1500	powershell.exe
2192	services.exe
4904	services.exe
2736	services.exe
4920	services.exe
4524	services.exe
4900	services.exe
4104	services.exe
4708	services.exe
4520	services.exe
2164	services.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3600	DllCommonsvc.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	200	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	4976	services.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeIncreaseQuotaPrivilege	220	powershell.exe
Token: SeSecurityPrivilege	220	powershell.exe
Token: SeTakeOwnershipPrivilege	220	powershell.exe
Token: SeLoadDriverPrivilege	220	powershell.exe
Token: SeSystemProfilePrivilege	220	powershell.exe
Token: SeSystemtimePrivilege	220	powershell.exe
Token: SeProfSingleProcessPrivilege	220	powershell.exe
Token: SeIncBasePriorityPrivilege	220	powershell.exe
Token: SeCreatePagefilePrivilege	220	powershell.exe
Token: SeBackupPrivilege	220	powershell.exe
Token: SeRestorePrivilege	220	powershell.exe
Token: SeShutdownPrivilege	220	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeSystemEnvironmentPrivilege	220	powershell.exe
Token: SeRemoteShutdownPrivilege	220	powershell.exe
Token: SeUndockPrivilege	220	powershell.exe
Token: SeManageVolumePrivilege	220	powershell.exe
Token: 33	220	powershell.exe
Token: 34	220	powershell.exe
Token: 35	220	powershell.exe
Token: 36	220	powershell.exe
Token: SeIncreaseQuotaPrivilege	2264	powershell.exe
Token: SeSecurityPrivilege	2264	powershell.exe
Token: SeTakeOwnershipPrivilege	2264	powershell.exe
Token: SeLoadDriverPrivilege	2264	powershell.exe
Token: SeSystemProfilePrivilege	2264	powershell.exe
Token: SeSystemtimePrivilege	2264	powershell.exe
Token: SeProfSingleProcessPrivilege	2264	powershell.exe
Token: SeIncBasePriorityPrivilege	2264	powershell.exe
Token: SeCreatePagefilePrivilege	2264	powershell.exe
Token: SeBackupPrivilege	2264	powershell.exe
Token: SeRestorePrivilege	2264	powershell.exe
Token: SeShutdownPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeSystemEnvironmentPrivilege	2264	powershell.exe
Token: SeRemoteShutdownPrivilege	2264	powershell.exe
Token: SeUndockPrivilege	2264	powershell.exe
Token: SeManageVolumePrivilege	2264	powershell.exe
Token: 33	2264	powershell.exe
Token: 34	2264	powershell.exe
Token: 35	2264	powershell.exe
Token: 36	2264	powershell.exe
Token: SeIncreaseQuotaPrivilege	1864	powershell.exe
Token: SeSecurityPrivilege	1864	powershell.exe
Token: SeTakeOwnershipPrivilege	1864	powershell.exe
Token: SeLoadDriverPrivilege	1864	powershell.exe
Token: SeSystemProfilePrivilege	1864	powershell.exe
Token: SeSystemtimePrivilege	1864	powershell.exe
Token: SeProfSingleProcessPrivilege	1864	powershell.exe
Token: SeIncBasePriorityPrivilege	1864	powershell.exe
Token: SeCreatePagefilePrivilege	1864	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4588	4740	f8fbd979a390840c4f262b71602dc69ca3c2bd674bf4edf4f890a612ce2a8bf0.exe	66
PID 4740 wrote to memory of 4588	4740	f8fbd979a390840c4f262b71602dc69ca3c2bd674bf4edf4f890a612ce2a8bf0.exe	66
PID 4740 wrote to memory of 4588	4740	f8fbd979a390840c4f262b71602dc69ca3c2bd674bf4edf4f890a612ce2a8bf0.exe	66
PID 4588 wrote to memory of 4288	4588	WScript.exe	67
PID 4588 wrote to memory of 4288	4588	WScript.exe	67
PID 4588 wrote to memory of 4288	4588	WScript.exe	67
PID 4288 wrote to memory of 3600	4288	cmd.exe	69
PID 4288 wrote to memory of 3600	4288	cmd.exe	69
PID 3600 wrote to memory of 1948	3600	DllCommonsvc.exe	101
PID 3600 wrote to memory of 1948	3600	DllCommonsvc.exe	101
PID 3600 wrote to memory of 1768	3600	DllCommonsvc.exe	110
PID 3600 wrote to memory of 1768	3600	DllCommonsvc.exe	110
PID 3600 wrote to memory of 1496	3600	DllCommonsvc.exe	102
PID 3600 wrote to memory of 1496	3600	DllCommonsvc.exe	102
PID 3600 wrote to memory of 340	3600	DllCommonsvc.exe	103
PID 3600 wrote to memory of 340	3600	DllCommonsvc.exe	103
PID 3600 wrote to memory of 220	3600	DllCommonsvc.exe	106
PID 3600 wrote to memory of 220	3600	DllCommonsvc.exe	106
PID 3600 wrote to memory of 200	3600	DllCommonsvc.exe	104
PID 3600 wrote to memory of 200	3600	DllCommonsvc.exe	104
PID 3600 wrote to memory of 2292	3600	DllCommonsvc.exe	111
PID 3600 wrote to memory of 2292	3600	DllCommonsvc.exe	111
PID 3600 wrote to memory of 2264	3600	DllCommonsvc.exe	112
PID 3600 wrote to memory of 2264	3600	DllCommonsvc.exe	112
PID 3600 wrote to memory of 1864	3600	DllCommonsvc.exe	119
PID 3600 wrote to memory of 1864	3600	DllCommonsvc.exe	119
PID 3600 wrote to memory of 1500	3600	DllCommonsvc.exe	115
PID 3600 wrote to memory of 1500	3600	DllCommonsvc.exe	115
PID 3600 wrote to memory of 2940	3600	DllCommonsvc.exe	117
PID 3600 wrote to memory of 2940	3600	DllCommonsvc.exe	117
PID 3600 wrote to memory of 4976	3600	DllCommonsvc.exe	123
PID 3600 wrote to memory of 4976	3600	DllCommonsvc.exe	123
PID 4976 wrote to memory of 2288	4976	services.exe	125
PID 4976 wrote to memory of 2288	4976	services.exe	125
PID 2288 wrote to memory of 5044	2288	cmd.exe	127
PID 2288 wrote to memory of 5044	2288	cmd.exe	127
PID 2288 wrote to memory of 2192	2288	cmd.exe	128
PID 2288 wrote to memory of 2192	2288	cmd.exe	128
PID 2192 wrote to memory of 4928	2192	services.exe	129
PID 2192 wrote to memory of 4928	2192	services.exe	129
PID 4928 wrote to memory of 3364	4928	cmd.exe	131
PID 4928 wrote to memory of 3364	4928	cmd.exe	131
PID 4928 wrote to memory of 4904	4928	cmd.exe	132
PID 4928 wrote to memory of 4904	4928	cmd.exe	132
PID 4904 wrote to memory of 4288	4904	services.exe	133
PID 4904 wrote to memory of 4288	4904	services.exe	133
PID 4288 wrote to memory of 620	4288	cmd.exe	135
PID 4288 wrote to memory of 620	4288	cmd.exe	135
PID 4288 wrote to memory of 2736	4288	cmd.exe	136
PID 4288 wrote to memory of 2736	4288	cmd.exe	136
PID 2736 wrote to memory of 4112	2736	services.exe	137
PID 2736 wrote to memory of 4112	2736	services.exe	137
PID 4112 wrote to memory of 5032	4112	cmd.exe	139
PID 4112 wrote to memory of 5032	4112	cmd.exe	139
PID 4112 wrote to memory of 4920	4112	cmd.exe	140
PID 4112 wrote to memory of 4920	4112	cmd.exe	140
PID 4920 wrote to memory of 1764	4920	services.exe	141
PID 4920 wrote to memory of 1764	4920	services.exe	141
PID 1764 wrote to memory of 4316	1764	cmd.exe	143
PID 1764 wrote to memory of 4316	1764	cmd.exe	143
PID 1764 wrote to memory of 4524	1764	cmd.exe	144
PID 1764 wrote to memory of 4524	1764	cmd.exe	144
PID 4524 wrote to memory of 1776	4524	services.exe	145
PID 4524 wrote to memory of 1776	4524	services.exe	145

C:\Users\Admin\AppData\Local\Temp\f8fbd979a390840c4f262b71602dc69ca3c2bd674bf4edf4f890a612ce2a8bf0.exe
"C:\Users\Admin\AppData\Local\Temp\f8fbd979a390840c4f262b71602dc69ca3c2bd674bf4edf4f890a612ce2a8bf0.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Users\Default\Favorites\services.exe
        
        "C:\Users\Default\Favorites\services.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4976
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5044
        
        C:\Users\Default\Favorites\services.exe
        
        "C:\Users\Default\Favorites\services.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3364
        
        C:\Users\Default\Favorites\services.exe
        
        "C:\Users\Default\Favorites\services.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:620
        
        C:\Users\Default\Favorites\services.exe
        
        "C:\Users\Default\Favorites\services.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5032
        
        C:\Users\Default\Favorites\services.exe
        
        "C:\Users\Default\Favorites\services.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4316
        
        C:\Users\Default\Favorites\services.exe
        
        "C:\Users\Default\Favorites\services.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"
        16⤵
        
        PID:1776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4188
        
        C:\Users\Default\Favorites\services.exe
        
        "C:\Users\Default\Favorites\services.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"
        18⤵
        
        PID:4120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2420
        
        C:\Users\Default\Favorites\services.exe
        
        "C:\Users\Default\Favorites\services.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat"
        20⤵
        
        PID:2292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:348
        
        C:\Users\Default\Favorites\services.exe
        
        "C:\Users\Default\Favorites\services.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat"
        22⤵
        
        PID:1500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2272
        
        C:\Users\Default\Favorites\services.exe
        
        "C:\Users\Default\Favorites\services.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat"
        24⤵
        
        PID:4044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3864
        
        C:\Users\Default\Favorites\services.exe
        
        "C:\Users\Default\Favorites\services.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat"
        26⤵
        
        PID:2612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\odt\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Favorites\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f017da34f32e49638d454402511b5181

SHA1
ac4fe7906382a5e83ab007358cd58313c1ed980d

SHA256
1f0b6e1939c5a2b00c2946203a8ffa84c14dea65f55e3a2e0e03b9899483aaa6

SHA512
2960bd638930b44a8bc557fb8662666af4440bf3557f74b4d38634d51110169497b6631ef73272c7e190b181903d6580a0fef69f1af3ea26c1d9cdfd1bf410ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cf37309ed05a8ebb87e362092f357010

SHA1
d3572ad5cbc093535f425a5f5717a9494196b4c1

SHA256
7be3448440e9726a3c54e4f1c140774ce6df3681d40f7fe4bc97ce6104f4dbe1

SHA512
7ae6c08e7537cc5e07e526e0c16d5e304ff6b82a189059f143fe9c12e469f141b0f85f588b4450d8c63ccecf6851ca87d6ccb97f046222e6de8a8be79574555d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4e1f4ca9bdffeaa83bc2a7a0cf318f9a

SHA1
f43a61f0365e227a861d8baf5c2358190797e7f7

SHA256
21c6b0e880b171997ceae5265f9bf31e4bd5198b7c0a060bcad7259046218b7b

SHA512
781c400320953a1efa702143f6eea95c371386f52ca37653a65d63f2a35b5542b1b9d68384d0c60d4f9ba7cc80e8a9150e5941ba80157c72e033cd969f9b3331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0d95eb17a39fae6213bf5f5acbcaa086

SHA1
86faa453123cfcd8241e85b6ac76e417debea074

SHA256
0f695ba94467be234f93d037be94a6109a11cf706d141a4b452c8cfd81209056

SHA512
ceeca006ee586a7bd68f42e4a6db0255f0ef01e7ad580ab6bbf81cc3f498187caa49d441695a082aab07a4bb0fcc4688f997c13f2d665a4f5aa10c8f8bb2c783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0d95eb17a39fae6213bf5f5acbcaa086

SHA1
86faa453123cfcd8241e85b6ac76e417debea074

SHA256
0f695ba94467be234f93d037be94a6109a11cf706d141a4b452c8cfd81209056

SHA512
ceeca006ee586a7bd68f42e4a6db0255f0ef01e7ad580ab6bbf81cc3f498187caa49d441695a082aab07a4bb0fcc4688f997c13f2d665a4f5aa10c8f8bb2c783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
993c3d87930f76751b4e5d7fc8618b13

SHA1
58960eaadc86ba7f05d8ce0dbda2297ecb4b2e4d

SHA256
9db7b542460d5ef1fb1e974f46dca9fb2b3bdcf40e6295a49747764e572ea17d

SHA512
6262857fc226ec2741b98e9b44bdf09897e8456689e129af81ac2c186f2c5856145b3fc8cb7d71f6bb61b96ca137d10e498baba3eb351c1596be2564fb8871fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
993c3d87930f76751b4e5d7fc8618b13

SHA1
58960eaadc86ba7f05d8ce0dbda2297ecb4b2e4d

SHA256
9db7b542460d5ef1fb1e974f46dca9fb2b3bdcf40e6295a49747764e572ea17d

SHA512
6262857fc226ec2741b98e9b44bdf09897e8456689e129af81ac2c186f2c5856145b3fc8cb7d71f6bb61b96ca137d10e498baba3eb351c1596be2564fb8871fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
993c3d87930f76751b4e5d7fc8618b13

SHA1
58960eaadc86ba7f05d8ce0dbda2297ecb4b2e4d

SHA256
9db7b542460d5ef1fb1e974f46dca9fb2b3bdcf40e6295a49747764e572ea17d

SHA512
6262857fc226ec2741b98e9b44bdf09897e8456689e129af81ac2c186f2c5856145b3fc8cb7d71f6bb61b96ca137d10e498baba3eb351c1596be2564fb8871fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
993c3d87930f76751b4e5d7fc8618b13

SHA1
58960eaadc86ba7f05d8ce0dbda2297ecb4b2e4d

SHA256
9db7b542460d5ef1fb1e974f46dca9fb2b3bdcf40e6295a49747764e572ea17d

SHA512
6262857fc226ec2741b98e9b44bdf09897e8456689e129af81ac2c186f2c5856145b3fc8cb7d71f6bb61b96ca137d10e498baba3eb351c1596be2564fb8871fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
400B

MD5
fc5d5357c8e956914e9a0a4ebc7f607b

SHA1
753278796b5f390e3c5f99008b95292afb8519ce

SHA256
54d951999965547d5144e049a50dfa70b370479db2bc0fbad5f09dd80b280029

SHA512
4331e581cd71a2a17f6f64e8ac4aa16b628047079b23cfbaeb99829af8984abd60e0687a2963ec8c66aff450a2b15e4c3e22e796e7fcb2af0906d0792515819f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat

Filesize
204B

MD5
6dd1f74492ec5a13210ded42c2cc19d8

SHA1
c216205d59bf84a139ec140e6713e8b1c0288487

SHA256
9488b91181c5dfa5c24a332bc21e166640f475f1910e9531072dce7b596db750

SHA512
d00e255dde662dcbf38859c453a94c74c640cd01d321afe350e2a90687372b5ff50b0b765e55ca472ec0d4b831971234ac20197b0ebfb1400fe89c3814a3c586

Download Submit
C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat

Filesize
204B

MD5
6dd1f74492ec5a13210ded42c2cc19d8

SHA1
c216205d59bf84a139ec140e6713e8b1c0288487

SHA256
9488b91181c5dfa5c24a332bc21e166640f475f1910e9531072dce7b596db750

SHA512
d00e255dde662dcbf38859c453a94c74c640cd01d321afe350e2a90687372b5ff50b0b765e55ca472ec0d4b831971234ac20197b0ebfb1400fe89c3814a3c586

Download Submit
C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat

Filesize
204B

MD5
9402ffdc879644f77962417841cadfff

SHA1
4c01f1c6d22905953dd0c04395453fc80cd43d1d

SHA256
6fffe0245a3bfb37cb8ebb7fb84d1978e780476a0e588ccfc499af49af6e9c20

SHA512
111c80456dcbfb94ddddae07e719941f934cf9920326cb461030b93a7fa1cbe4048148fa3278ba8a93e9216164f4f18e5d11eae0369554c7c759b24140aa949b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat

Filesize
204B

MD5
5ff48dce30e0cba8147d584cc6f09015

SHA1
19c8dcef5ef44d45118fed488e55bc954974784a

SHA256
67510ccc733093be6f6c7fa6e501762d1f263c185ea2675c71f4d13309b96f53

SHA512
8b85460464a0df53276a09c654eb851878c1de171de8e14b4cabee65404ee20b5367a977202a23d914407112b9369eb753610215392b92a84cd15b209a36d91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat

Filesize
204B

MD5
1c96dd71131a01303a8594f50bd17179

SHA1
d2685a9e149c2f2691ec280d22b9ff7819d47635

SHA256
eaa21308d131af8cd138177944e65f84401db5245c4363b9a18e5d85b427dc88

SHA512
281fa8984bc5bde5bca56531f68da3ed0d4c264eaae6aa07453f47444edd7e4c45bbcd04f996ad60cf37d02b46ebfee5b612f1691acc67ac13647133213f741c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat

Filesize
204B

MD5
3ce695c47fa0b9bd8d8ca828e1b8a7ad

SHA1
fb241c03e69d6926e40e8d4ec38a56f6c1e4a5af

SHA256
8d5e3e38c7fac5ff21f5cc92007d21060ba3ad7a7273fab6d62f2dad748988f1

SHA512
717254870d993dbab1327ccd95a29cd9db16db537ca3f8496239cd3c322729c5476d81ba40df9d32d225f1ead70a43885e0a88f44f107e4d779577b4a37fd72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat

Filesize
204B

MD5
9c73b568bedf9ab21fc8eab2925560c4

SHA1
ef6737e456a872443498dd38df4d4dc563b623a7

SHA256
70fcc37226910596712db5390876de3273118fe93f876b1cda1460a98f39a15b

SHA512
e7a06d340a72934eaa318294b6670002237b2cbcb309fc6e4dd63be224dcf2b4d605cba1c6d323ef2c05002b395d8f4d962fcfb06199261bda7e5680053953a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat

Filesize
204B

MD5
a8978c7a0f7379352267cc4f6a52336b

SHA1
d0686f7fcfab9b69472f833b9c548d2837554d73

SHA256
110a13f2c47cf995f6b606397832d3b714585325fb01118407b1ebc0af521062

SHA512
dd6362f174982006f2b1616732e6e353486bd0c2f2cdae041dd4c2a9eebf4c0bfb39f8481d0bad60a0b486e3d7f5359e8aa97faf21801a823a9e43bc6d712696

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat

Filesize
204B

MD5
d996a22876263fa5af6c10e2f8316231

SHA1
a08673782a1d5f33a6015967668e7b16e225bd07

SHA256
5c6450b9395327f0e117f7f1290ae0ac41453b0595324964af621b59d600f307

SHA512
d1e71bfde0cfb77c652af2f4cab7fd1e3464e92512790b131bdd147ed408026c82eca1f880903dd003cb9eaa9616339b46390332acc0e00f9a65243aafbba15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat

Filesize
204B

MD5
3c28b8b03a71ebad8b6174fc90b08713

SHA1
a77b40bd95967cb17eed2e6a8309b185a357c526

SHA256
742987abc14faaa72d2b4900b79bb099dd9485b880fa5cfe7f07f85d18e83cd1

SHA512
fba4b4a30bff7fe8bc95251c3418e78fc4538632757205c5c330646d90faf14f09e52667971e1ba45a08f2c239ef60554dca06e43a61d0f5b082f4af718f4093

Download Submit
C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat

Filesize
204B

MD5
baeee4c5b21808e38796e54a5c1d4f96

SHA1
47e05998ddee9b7c81f66846fb082a8f71785aed

SHA256
35c6e701675bc87a464f8696728dde6c48ff11cc138a75d5d3fd7d91f17ca2ff

SHA512
954761dfa52406b9c2ea7ef5b2177b521e8a82d5551c5aa81551b747d17fe026ce8c2dd88112558c9812dd9ad85849fa6565a905eeb68a037a367d6a74657c9a

Download Submit
C:\Users\Default\Favorites\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Favorites\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Favorites\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Favorites\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Favorites\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Favorites\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Favorites\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Favorites\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Favorites\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Favorites\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Favorites\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\Favorites\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/220-353-0x0000027FEC680000-0x0000027FEC6F6000-memory.dmp

Filesize
472KB

Download
memory/1948-349-0x000001D95E360000-0x000001D95E382000-memory.dmp

Filesize
136KB

Download
memory/3600-286-0x0000000000FA0000-0x00000000010B0000-memory.dmp

Filesize
1.1MB

Download
memory/3600-287-0x00000000015D0000-0x00000000015E2000-memory.dmp

Filesize
72KB

Download
memory/3600-288-0x00000000019E0000-0x00000000019EC000-memory.dmp

Filesize
48KB

Download
memory/3600-289-0x00000000015E0000-0x00000000015EC000-memory.dmp

Filesize
48KB

Download
memory/3600-290-0x00000000019D0000-0x00000000019DC000-memory.dmp

Filesize
48KB

Download
memory/4588-186-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4588-185-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4708-722-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/4740-138-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-183-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-157-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-164-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-156-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-168-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-155-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-154-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-153-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-152-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-151-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-150-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-149-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-148-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-147-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-146-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-145-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-165-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-144-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-143-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-121-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-166-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-142-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-169-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-141-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-158-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-140-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-120-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-159-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-139-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-122-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-160-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-170-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-136-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-163-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-137-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-171-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-182-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-135-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-167-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-181-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-134-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-180-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-123-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-133-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-179-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-132-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-178-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-177-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-131-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-176-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-130-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-129-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-162-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-128-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-161-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-175-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-126-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-174-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-173-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-125-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-172-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download