dcrat | 207d509fe61bd1f3b64d3816c0a8b21a8181dfbf6523956835694d38a026695f

Analysis

max time kernel
135s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

207d509fe61bd1f3b64d3816c0a8b21a8181dfbf6523956835694d38a026695f.exe
Size

1.3MB
MD5

f79ecbf7951711aa696ca0caf46edf1c
SHA1

6488d3c07c7a574c25a701bebe51fc144dd4d495
SHA256

207d509fe61bd1f3b64d3816c0a8b21a8181dfbf6523956835694d38a026695f
SHA512

1ead827bb253132a194e1721d13ef805b2e417877c37cfdfe54bed062dbf746a07bd1dce9ee4b1509acdb3d7acd4918085662d79f95fad8d76da1ca472ad1830
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	508	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	192	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	4788	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4788	schtasks.exe	71

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001abf0-284.dat	dcrat
behavioral1/files/0x000800000001abf0-285.dat	dcrat
behavioral1/memory/3908-286-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac25-359.dat	dcrat
behavioral1/files/0x000600000001ac25-358.dat	dcrat

Executes dropped EXE 2 IoCs

pid	Process
3908	DllCommonsvc.exe
4740	dwm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\f8c8f1285d826b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\f8c8f1285d826b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\6ccacd8608530f	DllCommonsvc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\en-US\OfficeClickToRun.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Windows\AppReadiness\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\AppReadiness\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\de-DE\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\en-US\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\de-DE\Idle.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
668	schtasks.exe
508	schtasks.exe
1424	schtasks.exe
3860	schtasks.exe
4480	schtasks.exe
4872	schtasks.exe
3120	schtasks.exe
1768	schtasks.exe
4204	schtasks.exe
440	schtasks.exe
288	schtasks.exe
192	schtasks.exe
876	schtasks.exe
2644	schtasks.exe
4892	schtasks.exe
4868	schtasks.exe
1784	schtasks.exe
916	schtasks.exe
1400	schtasks.exe
208	schtasks.exe
2720	schtasks.exe
4680	schtasks.exe
3932	schtasks.exe
1712	schtasks.exe
2296	schtasks.exe
1528	schtasks.exe
4752	schtasks.exe
4704	schtasks.exe
1772	schtasks.exe
3156	schtasks.exe
956	schtasks.exe
4736	schtasks.exe
4656	schtasks.exe
3864	schtasks.exe
1160	schtasks.exe
2260	schtasks.exe
2224	schtasks.exe
4684	schtasks.exe
4728	schtasks.exe
1740	schtasks.exe
656	schtasks.exe
1324	schtasks.exe
2400	schtasks.exe
2184	schtasks.exe
2464	schtasks.exe
1536	schtasks.exe
4432	schtasks.exe
4440	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	207d509fe61bd1f3b64d3816c0a8b21a8181dfbf6523956835694d38a026695f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3908	DllCommonsvc.exe
3908	DllCommonsvc.exe
3908	DllCommonsvc.exe
3908	DllCommonsvc.exe
3908	DllCommonsvc.exe
3908	DllCommonsvc.exe
3908	DllCommonsvc.exe
3908	DllCommonsvc.exe
3908	DllCommonsvc.exe
3908	DllCommonsvc.exe
3908	DllCommonsvc.exe
3908	DllCommonsvc.exe
3908	DllCommonsvc.exe
3908	DllCommonsvc.exe
3908	DllCommonsvc.exe
3908	DllCommonsvc.exe
4896	powershell.exe
4896	powershell.exe
4192	powershell.exe
4192	powershell.exe
3776	powershell.exe
3776	powershell.exe
3692	powershell.exe
3692	powershell.exe
4912	powershell.exe
4912	powershell.exe
1688	powershell.exe
1688	powershell.exe
3900	powershell.exe
3900	powershell.exe
1688	powershell.exe
1976	powershell.exe
1976	powershell.exe
3552	powershell.exe
3552	powershell.exe
4324	powershell.exe
4324	powershell.exe
1464	powershell.exe
1464	powershell.exe
4048	powershell.exe
4048	powershell.exe
780	powershell.exe
780	powershell.exe
5028	powershell.exe
5028	powershell.exe
4052	powershell.exe
4052	powershell.exe
4080	powershell.exe
4080	powershell.exe
4576	powershell.exe
4576	powershell.exe
5028	powershell.exe
780	powershell.exe
4740	dwm.exe
4740	dwm.exe
4896	powershell.exe
4896	powershell.exe
3692	powershell.exe
1976	powershell.exe
3900	powershell.exe
3776	powershell.exe
1464	powershell.exe
4048	powershell.exe
4912	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4740	dwm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3908	DllCommonsvc.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	4740	dwm.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeIncreaseQuotaPrivilege	1688	powershell.exe
Token: SeSecurityPrivilege	1688	powershell.exe
Token: SeTakeOwnershipPrivilege	1688	powershell.exe
Token: SeLoadDriverPrivilege	1688	powershell.exe
Token: SeSystemProfilePrivilege	1688	powershell.exe
Token: SeSystemtimePrivilege	1688	powershell.exe
Token: SeProfSingleProcessPrivilege	1688	powershell.exe
Token: SeIncBasePriorityPrivilege	1688	powershell.exe
Token: SeCreatePagefilePrivilege	1688	powershell.exe
Token: SeBackupPrivilege	1688	powershell.exe
Token: SeRestorePrivilege	1688	powershell.exe
Token: SeShutdownPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeSystemEnvironmentPrivilege	1688	powershell.exe
Token: SeRemoteShutdownPrivilege	1688	powershell.exe
Token: SeUndockPrivilege	1688	powershell.exe
Token: SeManageVolumePrivilege	1688	powershell.exe
Token: 33	1688	powershell.exe
Token: 34	1688	powershell.exe
Token: 35	1688	powershell.exe
Token: 36	1688	powershell.exe
Token: SeIncreaseQuotaPrivilege	5028	powershell.exe
Token: SeSecurityPrivilege	5028	powershell.exe
Token: SeTakeOwnershipPrivilege	5028	powershell.exe
Token: SeLoadDriverPrivilege	5028	powershell.exe
Token: SeSystemProfilePrivilege	5028	powershell.exe
Token: SeSystemtimePrivilege	5028	powershell.exe
Token: SeProfSingleProcessPrivilege	5028	powershell.exe
Token: SeIncBasePriorityPrivilege	5028	powershell.exe
Token: SeCreatePagefilePrivilege	5028	powershell.exe
Token: SeBackupPrivilege	5028	powershell.exe
Token: SeRestorePrivilege	5028	powershell.exe
Token: SeShutdownPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeSystemEnvironmentPrivilege	5028	powershell.exe
Token: SeRemoteShutdownPrivilege	5028	powershell.exe
Token: SeUndockPrivilege	5028	powershell.exe
Token: SeManageVolumePrivilege	5028	powershell.exe
Token: 33	5028	powershell.exe
Token: 34	5028	powershell.exe
Token: 35	5028	powershell.exe
Token: 36	5028	powershell.exe
Token: SeIncreaseQuotaPrivilege	1976	powershell.exe
Token: SeSecurityPrivilege	1976	powershell.exe
Token: SeTakeOwnershipPrivilege	1976	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 4316	4744	207d509fe61bd1f3b64d3816c0a8b21a8181dfbf6523956835694d38a026695f.exe	67
PID 4744 wrote to memory of 4316	4744	207d509fe61bd1f3b64d3816c0a8b21a8181dfbf6523956835694d38a026695f.exe	67
PID 4744 wrote to memory of 4316	4744	207d509fe61bd1f3b64d3816c0a8b21a8181dfbf6523956835694d38a026695f.exe	67
PID 4316 wrote to memory of 4512	4316	WScript.exe	68
PID 4316 wrote to memory of 4512	4316	WScript.exe	68
PID 4316 wrote to memory of 4512	4316	WScript.exe	68
PID 4512 wrote to memory of 3908	4512	cmd.exe	70
PID 4512 wrote to memory of 3908	4512	cmd.exe	70
PID 3908 wrote to memory of 4896	3908	DllCommonsvc.exe	120
PID 3908 wrote to memory of 4896	3908	DllCommonsvc.exe	120
PID 3908 wrote to memory of 3692	3908	DllCommonsvc.exe	131
PID 3908 wrote to memory of 3692	3908	DllCommonsvc.exe	131
PID 3908 wrote to memory of 3776	3908	DllCommonsvc.exe	121
PID 3908 wrote to memory of 3776	3908	DllCommonsvc.exe	121
PID 3908 wrote to memory of 1976	3908	DllCommonsvc.exe	129
PID 3908 wrote to memory of 1976	3908	DllCommonsvc.exe	129
PID 3908 wrote to memory of 3900	3908	DllCommonsvc.exe	124
PID 3908 wrote to memory of 3900	3908	DllCommonsvc.exe	124
PID 3908 wrote to memory of 4912	3908	DllCommonsvc.exe	125
PID 3908 wrote to memory of 4912	3908	DllCommonsvc.exe	125
PID 3908 wrote to memory of 4192	3908	DllCommonsvc.exe	126
PID 3908 wrote to memory of 4192	3908	DllCommonsvc.exe	126
PID 3908 wrote to memory of 1688	3908	DllCommonsvc.exe	132
PID 3908 wrote to memory of 1688	3908	DllCommonsvc.exe	132
PID 3908 wrote to memory of 3552	3908	DllCommonsvc.exe	133
PID 3908 wrote to memory of 3552	3908	DllCommonsvc.exe	133
PID 3908 wrote to memory of 4080	3908	DllCommonsvc.exe	134
PID 3908 wrote to memory of 4080	3908	DllCommonsvc.exe	134
PID 3908 wrote to memory of 4048	3908	DllCommonsvc.exe	143
PID 3908 wrote to memory of 4048	3908	DllCommonsvc.exe	143
PID 3908 wrote to memory of 1464	3908	DllCommonsvc.exe	137
PID 3908 wrote to memory of 1464	3908	DllCommonsvc.exe	137
PID 3908 wrote to memory of 4324	3908	DllCommonsvc.exe	138
PID 3908 wrote to memory of 4324	3908	DllCommonsvc.exe	138
PID 3908 wrote to memory of 5028	3908	DllCommonsvc.exe	139
PID 3908 wrote to memory of 5028	3908	DllCommonsvc.exe	139
PID 3908 wrote to memory of 4052	3908	DllCommonsvc.exe	154
PID 3908 wrote to memory of 4052	3908	DllCommonsvc.exe	154
PID 3908 wrote to memory of 4576	3908	DllCommonsvc.exe	147
PID 3908 wrote to memory of 4576	3908	DllCommonsvc.exe	147
PID 3908 wrote to memory of 780	3908	DllCommonsvc.exe	148
PID 3908 wrote to memory of 780	3908	DllCommonsvc.exe	148
PID 3908 wrote to memory of 4740	3908	DllCommonsvc.exe	152
PID 3908 wrote to memory of 4740	3908	DllCommonsvc.exe	152

C:\Users\Admin\AppData\Local\Temp\207d509fe61bd1f3b64d3816c0a8b21a8181dfbf6523956835694d38a026695f.exe
"C:\Users\Admin\AppData\Local\Temp\207d509fe61bd1f3b64d3816c0a8b21a8181dfbf6523956835694d38a026695f.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\en-US\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\es-ES\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\fr-FR\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
    - - C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\dwm.exe
        
        "C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\dwm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Saved Games\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\AppReadiness\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\AppReadiness\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\AppReadiness\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\en-US\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\odt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
635dac5c3726ed2daa28ba9fa09e0684

SHA1
178d0fd17d0463b8383caaa77d04921a5ed5b7d6

SHA256
2cfeacadf5b6b69bdf419d41f95e483b3c4921d9dabc09720115bcf13005e5dc

SHA512
8844ce9d18a55c9354c0631c802d5da7d3ebffc078cdc3f89563ca44a79cc157b7befcea6b23c548421585dd98c836939fd0ca8c25ebb4af31e7c400328b6f00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4b8430d32d11084034b933563c7bc189

SHA1
e50b3fa64da74484de0702507b2b7878a0427ec5

SHA256
75e961bf5c9054732a46b3c73abec8492ba93664fa7e04fccfef2c1327a61c6b

SHA512
931490029489c04dedfce57c04be40f2ffe1411e228cb363c7a1b1626d07c156df34b0316dcb6fe098a3fc3156ff29adc3ec2cc57f8f6cb521d03c9928382c6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb5054304213fbcd5d9b12cd65c8adab

SHA1
977bbdc88b85bf73c3aa01db45283daf5bb1f512

SHA256
9307dc8e6677f29f5ee63ade1e235cd8ffce49e9c01adcbbd700c01dcc02dd20

SHA512
588b09ef718951a730ca483b0a61f2b832d7a613e2352ccba995c3983c4820af6c177d2db99a45c4ea349437fd21e0e5a498252a29f8208c1110cc7268d4a9bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4a08d12062a99d7a43b57b2f46f2fe4a

SHA1
e99d5e9dbef1889347db3189db3ccb169832d4bd

SHA256
8f25b8ef029cf785dc1fc801ee4970b397c0def100c23fa44ee16dca2f0d65f1

SHA512
9bbb58d8f86a89466f1fc964dd886169b0f8e3d8b7431e0472f7dc3d39ad304e72480e4134e6b12ccd6392ea95891ae04b02175f2bda6ea06ccd88d988221f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f30df7ab178abf2e734e8e5488cb16f8

SHA1
16ed6b0f71b71e1503091f623824c6d37dec075a

SHA256
1081c3a72b6a940d93373101f510797d4d0bcba3a87100832c45719c3cb89cbb

SHA512
cbae1248050d9f103dc6e0da8c623a305947bffcd15a0ccf3fb79f766711f0fedffa39c4f1a6b0c57dd1f18b74088ef3b282d046fe40e267b72a008cc86d366c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f30df7ab178abf2e734e8e5488cb16f8

SHA1
16ed6b0f71b71e1503091f623824c6d37dec075a

SHA256
1081c3a72b6a940d93373101f510797d4d0bcba3a87100832c45719c3cb89cbb

SHA512
cbae1248050d9f103dc6e0da8c623a305947bffcd15a0ccf3fb79f766711f0fedffa39c4f1a6b0c57dd1f18b74088ef3b282d046fe40e267b72a008cc86d366c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f30df7ab178abf2e734e8e5488cb16f8

SHA1
16ed6b0f71b71e1503091f623824c6d37dec075a

SHA256
1081c3a72b6a940d93373101f510797d4d0bcba3a87100832c45719c3cb89cbb

SHA512
cbae1248050d9f103dc6e0da8c623a305947bffcd15a0ccf3fb79f766711f0fedffa39c4f1a6b0c57dd1f18b74088ef3b282d046fe40e267b72a008cc86d366c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f30df7ab178abf2e734e8e5488cb16f8

SHA1
16ed6b0f71b71e1503091f623824c6d37dec075a

SHA256
1081c3a72b6a940d93373101f510797d4d0bcba3a87100832c45719c3cb89cbb

SHA512
cbae1248050d9f103dc6e0da8c623a305947bffcd15a0ccf3fb79f766711f0fedffa39c4f1a6b0c57dd1f18b74088ef3b282d046fe40e267b72a008cc86d366c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f30df7ab178abf2e734e8e5488cb16f8

SHA1
16ed6b0f71b71e1503091f623824c6d37dec075a

SHA256
1081c3a72b6a940d93373101f510797d4d0bcba3a87100832c45719c3cb89cbb

SHA512
cbae1248050d9f103dc6e0da8c623a305947bffcd15a0ccf3fb79f766711f0fedffa39c4f1a6b0c57dd1f18b74088ef3b282d046fe40e267b72a008cc86d366c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
27c819e37f2597d8e7951b15f0ebf5e9

SHA1
0c7997b6dd1b68568f23269e7ca0ce059fbba736

SHA256
542219b4b2d297a936ea72ee5c4b2ade3dfd850e77897f627c307e50a5fee039

SHA512
7648e1e9df2abeee07585cae5aea86013720f04b1f99458dc6592c2d21a0f037e7cd297d5db3063dcab40478f028e28cf6c76e9cedcbc336c9a65557ef3f2836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
262e7ef3f77e2b176ed546eb3ba8d77e

SHA1
6aaabf0f63ecbc023d7094b923dbdeb7eafc597a

SHA256
f52b8541917bcfc10e4f3936f008aac912276fd8c018698f404e95f64dd6582e

SHA512
9c965eb68d5c252b5a559bd49f11e29774ffb03b0a7a9a0f0dcb2bf764b58f30080088eb00b72946bb904be2041b456aded8498580e24e7b2cc87eb8a2458178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
262e7ef3f77e2b176ed546eb3ba8d77e

SHA1
6aaabf0f63ecbc023d7094b923dbdeb7eafc597a

SHA256
f52b8541917bcfc10e4f3936f008aac912276fd8c018698f404e95f64dd6582e

SHA512
9c965eb68d5c252b5a559bd49f11e29774ffb03b0a7a9a0f0dcb2bf764b58f30080088eb00b72946bb904be2041b456aded8498580e24e7b2cc87eb8a2458178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
954fbd7581782ccbee7ee22efb7bc29f

SHA1
7a0764f0577a0f9764250ac16d34c4c6f2302a9c

SHA256
4c1379b50380388429815a2eaee1addd81b1a1c0c5edab8235c68d77179578fd

SHA512
38948a81766eb2781050ce17e292b3dbd1924abd20fe671615f79bf27a2a459e636f2132e1037d3c7677b6051c6125848e5ec472022d86efaa4c3632d8b3634e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
954fbd7581782ccbee7ee22efb7bc29f

SHA1
7a0764f0577a0f9764250ac16d34c4c6f2302a9c

SHA256
4c1379b50380388429815a2eaee1addd81b1a1c0c5edab8235c68d77179578fd

SHA512
38948a81766eb2781050ce17e292b3dbd1924abd20fe671615f79bf27a2a459e636f2132e1037d3c7677b6051c6125848e5ec472022d86efaa4c3632d8b3634e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5d66d13872d43d863d8a3626ff6f7d6e

SHA1
5e0fd44b427228620934243b9e7ca1fc4e651a2d

SHA256
5de01f3f3fb1aa3fb3e4c26d7d93b4d5eaf02131be36390d5b42b51b68f7edb2

SHA512
1ab781ebf897827d54884bc3c76faf302d74c5e89c8fe82f82312eb03b90ebe3a405df786a3804e0363f7a55c84125a270029ad88f2efa7cc8bcce24a38185ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e54c93421a1b051895202d9e5530eada

SHA1
485a625b61716f72abc13b6f2007599c26ec60cd

SHA256
c3459a125f801c9924aca14a933f342fb7216a49f2d72091fd1c70ef3f720a0b

SHA512
755f2282d5c0d7a74e2109fc72c08129f065e03a0212cafaa9a9d5f446e1bf6d46100131518d1884a87256f076cdfa15b66ec33d1947ad36f6c61eac056a7da5

Download Submit
C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1688-384-0x0000011930700000-0x0000011930776000-memory.dmp

Filesize
472KB

Download
memory/3908-286-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download
memory/3908-290-0x0000000002EA0000-0x0000000002EAC000-memory.dmp

Filesize
48KB

Download
memory/3908-289-0x0000000002E90000-0x0000000002E9C000-memory.dmp

Filesize
48KB

Download
memory/3908-288-0x0000000002E80000-0x0000000002E8C000-memory.dmp

Filesize
48KB

Download
memory/3908-287-0x0000000002E70000-0x0000000002E82000-memory.dmp

Filesize
72KB

Download
memory/4316-186-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4316-185-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-152-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-155-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-174-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-175-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-176-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-177-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-178-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-179-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-180-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-181-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-182-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-183-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-173-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-171-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-170-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-169-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-168-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-167-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-166-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-165-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-164-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-163-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-161-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-162-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-160-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-159-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-121-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-158-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-157-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-156-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-149-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-122-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-153-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-172-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-154-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-120-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-151-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-150-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-148-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-123-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-147-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-146-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-144-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-145-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-142-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-125-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-143-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-141-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-140-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-139-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-138-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-137-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-136-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-135-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-134-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-133-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-132-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-131-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-130-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-129-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-128-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-126-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

Filesize
1.6MB

Download
memory/4896-371-0x0000024AB9C70000-0x0000024AB9C92000-memory.dmp

Filesize
136KB

Download