dcrat | d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671

Analysis

max time kernel
29s
max time network
63s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671.exe
Size

1.3MB
MD5

34c735dba48810f26ae411f201d29703
SHA1

5a79a830aea354f9006a0688c7ea9099e79776db
SHA256

d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671
SHA512

c554222b3e8f60780a0cf1e92bb8a6cac7f02454e7a2d931d1015a3d7fda508106bd3bf049f899115073dd71a0cb7b4e3ef07aa7741fbbf52104593536b1621c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	192	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	204	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	4404	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	4404	schtasks.exe	70

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001ac19-283.dat	dcrat
behavioral1/files/0x000900000001ac19-284.dat	dcrat
behavioral1/memory/4956-285-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac25-442.dat	dcrat
behavioral1/files/0x000600000001ac25-443.dat	dcrat
behavioral1/files/0x000600000001ac25-815.dat	dcrat
behavioral1/files/0x000600000001ac25-866.dat	dcrat
behavioral1/files/0x000600000001ac25-871.dat	dcrat

Executes dropped EXE 2 IoCs

pid	Process
4956	DllCommonsvc.exe
656	ShellExperienceHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Visualizations\f8c8f1285d826b	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Visualizations\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\en-US\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Services\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Services\e6c9b481da804f	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Visualizations\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\en-US\7a0fd90576e088	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\en-US\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\en-US\cc11b995f2a76d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1812	schtasks.exe
816	schtasks.exe
872	schtasks.exe
1864	schtasks.exe
4384	schtasks.exe
3140	schtasks.exe
764	schtasks.exe
4328	schtasks.exe
4460	schtasks.exe
4636	schtasks.exe
4396	schtasks.exe
3764	schtasks.exe
4484	schtasks.exe
1040	schtasks.exe
1336	schtasks.exe
5012	schtasks.exe
4324	schtasks.exe
4416	schtasks.exe
4336	schtasks.exe
524	schtasks.exe
4936	schtasks.exe
4872	schtasks.exe
1476	schtasks.exe
4436	schtasks.exe
4624	schtasks.exe
768	schtasks.exe
204	schtasks.exe
1772	schtasks.exe
3320	schtasks.exe
700	schtasks.exe
4292	schtasks.exe
3936	schtasks.exe
60	schtasks.exe
1628	schtasks.exe
192	schtasks.exe
5028	schtasks.exe
5036	schtasks.exe
2768	schtasks.exe
372	schtasks.exe
3292	schtasks.exe
2304	schtasks.exe
2176	schtasks.exe
4604	schtasks.exe
4632	schtasks.exe
3276	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4956	DllCommonsvc.exe
4956	DllCommonsvc.exe
4956	DllCommonsvc.exe
4956	DllCommonsvc.exe
4956	DllCommonsvc.exe
4956	DllCommonsvc.exe
4956	DllCommonsvc.exe
4956	DllCommonsvc.exe
4956	DllCommonsvc.exe
4956	DllCommonsvc.exe
512	powershell.exe
512	powershell.exe
2728	powershell.exe
2728	powershell.exe
352	powershell.exe
352	powershell.exe
1840	powershell.exe
1840	powershell.exe
3824	powershell.exe
3824	powershell.exe
1516	powershell.exe
1516	powershell.exe
2664	powershell.exe
2664	powershell.exe
2680	powershell.exe
2680	powershell.exe
4720	powershell.exe
4720	powershell.exe
1840	powershell.exe
3688	powershell.exe
3724	powershell.exe
3688	powershell.exe
3724	powershell.exe
4344	powershell.exe
4344	powershell.exe
2900	powershell.exe
5064	powershell.exe
2900	powershell.exe
5064	powershell.exe
2680	powershell.exe
4224	powershell.exe
4224	powershell.exe
1072	powershell.exe
1072	powershell.exe
1072	powershell.exe
1840	powershell.exe
512	powershell.exe
512	powershell.exe
352	powershell.exe
352	powershell.exe
2728	powershell.exe
2728	powershell.exe
3688	powershell.exe
2680	powershell.exe
3824	powershell.exe
2664	powershell.exe
1516	powershell.exe
4720	powershell.exe
3724	powershell.exe
5064	powershell.exe
4224	powershell.exe
1072	powershell.exe
4344	powershell.exe
512	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	DllCommonsvc.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	656	ShellExperienceHost.exe
Token: SeIncreaseQuotaPrivilege	1840	powershell.exe
Token: SeSecurityPrivilege	1840	powershell.exe
Token: SeTakeOwnershipPrivilege	1840	powershell.exe
Token: SeLoadDriverPrivilege	1840	powershell.exe
Token: SeSystemProfilePrivilege	1840	powershell.exe
Token: SeSystemtimePrivilege	1840	powershell.exe
Token: SeProfSingleProcessPrivilege	1840	powershell.exe
Token: SeIncBasePriorityPrivilege	1840	powershell.exe
Token: SeCreatePagefilePrivilege	1840	powershell.exe
Token: SeBackupPrivilege	1840	powershell.exe
Token: SeRestorePrivilege	1840	powershell.exe
Token: SeShutdownPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeSystemEnvironmentPrivilege	1840	powershell.exe
Token: SeRemoteShutdownPrivilege	1840	powershell.exe
Token: SeUndockPrivilege	1840	powershell.exe
Token: SeManageVolumePrivilege	1840	powershell.exe
Token: 33	1840	powershell.exe
Token: 34	1840	powershell.exe
Token: 35	1840	powershell.exe
Token: 36	1840	powershell.exe
Token: SeIncreaseQuotaPrivilege	2680	powershell.exe
Token: SeSecurityPrivilege	2680	powershell.exe
Token: SeTakeOwnershipPrivilege	2680	powershell.exe
Token: SeLoadDriverPrivilege	2680	powershell.exe
Token: SeSystemProfilePrivilege	2680	powershell.exe
Token: SeSystemtimePrivilege	2680	powershell.exe
Token: SeProfSingleProcessPrivilege	2680	powershell.exe
Token: SeIncBasePriorityPrivilege	2680	powershell.exe
Token: SeCreatePagefilePrivilege	2680	powershell.exe
Token: SeBackupPrivilege	2680	powershell.exe
Token: SeRestorePrivilege	2680	powershell.exe
Token: SeShutdownPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeSystemEnvironmentPrivilege	2680	powershell.exe
Token: SeRemoteShutdownPrivilege	2680	powershell.exe
Token: SeUndockPrivilege	2680	powershell.exe
Token: SeManageVolumePrivilege	2680	powershell.exe
Token: 33	2680	powershell.exe
Token: 34	2680	powershell.exe
Token: 35	2680	powershell.exe
Token: 36	2680	powershell.exe
Token: SeIncreaseQuotaPrivilege	1072	powershell.exe
Token: SeSecurityPrivilege	1072	powershell.exe
Token: SeTakeOwnershipPrivilege	1072	powershell.exe
Token: SeLoadDriverPrivilege	1072	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 4760	2620	d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671.exe	66
PID 2620 wrote to memory of 4760	2620	d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671.exe	66
PID 2620 wrote to memory of 4760	2620	d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671.exe	66
PID 4760 wrote to memory of 2284	4760	WScript.exe	67
PID 4760 wrote to memory of 2284	4760	WScript.exe	67
PID 4760 wrote to memory of 2284	4760	WScript.exe	67
PID 2284 wrote to memory of 4956	2284	cmd.exe	69
PID 2284 wrote to memory of 4956	2284	cmd.exe	69
PID 4956 wrote to memory of 512	4956	DllCommonsvc.exe	116
PID 4956 wrote to memory of 512	4956	DllCommonsvc.exe	116
PID 4956 wrote to memory of 1840	4956	DllCommonsvc.exe	120
PID 4956 wrote to memory of 1840	4956	DllCommonsvc.exe	120
PID 4956 wrote to memory of 2728	4956	DllCommonsvc.exe	119
PID 4956 wrote to memory of 2728	4956	DllCommonsvc.exe	119
PID 4956 wrote to memory of 352	4956	DllCommonsvc.exe	121
PID 4956 wrote to memory of 352	4956	DllCommonsvc.exe	121
PID 4956 wrote to memory of 1516	4956	DllCommonsvc.exe	122
PID 4956 wrote to memory of 1516	4956	DllCommonsvc.exe	122
PID 4956 wrote to memory of 3824	4956	DllCommonsvc.exe	126
PID 4956 wrote to memory of 3824	4956	DllCommonsvc.exe	126
PID 4956 wrote to memory of 2664	4956	DllCommonsvc.exe	124
PID 4956 wrote to memory of 2664	4956	DllCommonsvc.exe	124
PID 4956 wrote to memory of 2680	4956	DllCommonsvc.exe	128
PID 4956 wrote to memory of 2680	4956	DllCommonsvc.exe	128
PID 4956 wrote to memory of 3724	4956	DllCommonsvc.exe	129
PID 4956 wrote to memory of 3724	4956	DllCommonsvc.exe	129
PID 4956 wrote to memory of 4720	4956	DllCommonsvc.exe	130
PID 4956 wrote to memory of 4720	4956	DllCommonsvc.exe	130
PID 4956 wrote to memory of 3688	4956	DllCommonsvc.exe	131
PID 4956 wrote to memory of 3688	4956	DllCommonsvc.exe	131
PID 4956 wrote to memory of 4344	4956	DllCommonsvc.exe	132
PID 4956 wrote to memory of 4344	4956	DllCommonsvc.exe	132
PID 4956 wrote to memory of 2900	4956	DllCommonsvc.exe	138
PID 4956 wrote to memory of 2900	4956	DllCommonsvc.exe	138
PID 4956 wrote to memory of 1072	4956	DllCommonsvc.exe	133
PID 4956 wrote to memory of 1072	4956	DllCommonsvc.exe	133
PID 4956 wrote to memory of 5064	4956	DllCommonsvc.exe	135
PID 4956 wrote to memory of 5064	4956	DllCommonsvc.exe	135
PID 4956 wrote to memory of 4224	4956	DllCommonsvc.exe	142
PID 4956 wrote to memory of 4224	4956	DllCommonsvc.exe	142
PID 4956 wrote to memory of 656	4956	DllCommonsvc.exe	148
PID 4956 wrote to memory of 656	4956	DllCommonsvc.exe	148
PID 656 wrote to memory of 1544	656	ShellExperienceHost.exe	150
PID 656 wrote to memory of 1544	656	ShellExperienceHost.exe	150
PID 1544 wrote to memory of 408	1544	cmd.exe	152
PID 1544 wrote to memory of 408	1544	cmd.exe	152

C:\Users\Admin\AppData\Local\Temp\d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671.exe
"C:\Users\Admin\AppData\Local\Temp\d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\en-US\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4224
    - - C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe
        
        "C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:656
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:408
        
        C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe
        
        "C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe"
        7⤵
        
        PID:5160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat"
        8⤵
        
        PID:5496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5612
        
        C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe
        
        "C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe"
        9⤵
        
        PID:5712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mTJ33xL03H.bat"
        10⤵
        
        PID:5824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:5888
        
        C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe
        
        "C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe"
        11⤵
        
        PID:5916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\odt\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Visualizations\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Services\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Services\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Media Player\Visualizations\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ShellExperienceHost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e933ee91ecc11dfd0380752fbd7ee68f

SHA1
8bd97b3ae7d24ea6f1733f8cdaa5ab0274a39554

SHA256
7b050e098b6e3dbc794c79c325b7999270a08c8d8c64c9ff91606eaa8cc9c213

SHA512
4dd1b32195271be70c28f840dbc99424b1581ca9a8280f371015539d1b5a17f66822bec9a36dbe897d7858d5ccbac767abae465c4e5dba12ee2a40a7a77a7744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
45450e58f7c1d376320f72b025edd13a

SHA1
64845fac5deeb82a66af1f6e548956b352cae9ff

SHA256
37d2792146fb6c2b21e3a6f7d5d9969fb1df05956537fb7dabd27add8fce3426

SHA512
ebcb6ecf7cda7b43c54420d6b6a32b927d4e44d5eed3fb0b16a0f9917632732a010a490f672dbfbb0d7fe66a09b1e69377766d886ecd3b6cc37455e996386691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
23b1cb83072ce44365dd85f64a9fdf71

SHA1
9fb8656ecfa36cf0be0573600eddcbb9ae4c69a1

SHA256
a9745f384d3f160effac8f98a9d15758df70c1d83afd0f7c352d5fb365779bca

SHA512
9b071be9fd7aa6aa1223e3d458820f3bb2294d4f0fbda182c1d13839b7f719af523717f7119222a02ef19fd6466a0278aabe81bdc8894376bacec64faef6786a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d95a9865506ac32268c0388f8549a004

SHA1
30d102f0d293abe78b4594933dfceaaed69c2706

SHA256
17b28959d997b5a2e0d6a7ab08798a76e7a7c3b37ed1a6494a5e90ddb844e08f

SHA512
ff4fddb63ec196a5e0851866df4dc322ceb9e3c5b3817c30fc481b9acbaa9404479dcb990b935fb330e525fa90896852b35533a470dba9036483239fb87c482e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
422ac3f0f09fe72712e533c001df5618

SHA1
968cf07c7559edeb0c60e256e03cea06eca40804

SHA256
1da7dfdac3f44a8a7e1333a96c3bb1d5e059471da2a1edfe92ba5dba33a2d625

SHA512
de6bd0836fc57cdb2a734750fb093297b422549385ca4b80c5a95ca53ed62db58d7d0c1c9acfd461953c66f756dcf27df7b09c0d90234c8fb634a645b807ce02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ebadb46be93a9d3ecbced44c558e4e5

SHA1
4d8d93271556587021ac76ae27669a9d877224d4

SHA256
9998c1e682b664e2c56f3ce1e9e0501fd5b40a5dbd3a7d721c246546ba0e2018

SHA512
6764488b10552ab2c57c10ce38845e6feb55a08efb081765af739df207600db11bab64f03fd565e2f8d287cf6e0c08baed389ddc473fdbd6ab5d31633accea28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ebadb46be93a9d3ecbced44c558e4e5

SHA1
4d8d93271556587021ac76ae27669a9d877224d4

SHA256
9998c1e682b664e2c56f3ce1e9e0501fd5b40a5dbd3a7d721c246546ba0e2018

SHA512
6764488b10552ab2c57c10ce38845e6feb55a08efb081765af739df207600db11bab64f03fd565e2f8d287cf6e0c08baed389ddc473fdbd6ab5d31633accea28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
53365580b0afc1d313f746588e4c470d

SHA1
637afa185f6f7e7f45920a53ad851a1c33a88bdf

SHA256
1aea7ac41d6cd609a0e10f55a0049d20ff9790eb1c8c63af7b0a12a72477ed9f

SHA512
75d6ed2097e4af804b51a220c45026212b317e977abd65b525af44c9af79b36814f29bb4b34b0bd68b99ebae58cac62f0ea2ffb997e5e03d7d1944b9d37c5b91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ea03d1cc30e0fbb9c976bc0126c67d95

SHA1
ac16c3575cf5fe47523385de568e7b1b3f9fd472

SHA256
5269c3c0ee13d424a57dd311ebd4d8ba4391584380dd4c1010ae24ad85064f26

SHA512
35fdb2c4d98125a6fe072cf67e4146a291a8df7727f0c89627eb8ebf8ed0311508d2e3f779d41436e4cd9995e4a302938fe64251521c39017d528f70e41c3489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7546af656f7d1496f66087066156d9f3

SHA1
589d40c9949f1b90c63a3a33df62385652a6cf73

SHA256
412a34fc46cba01ee89519945a1632e73aa35990c319890295186ef823d56539

SHA512
dbdd8d272b676aa33b9b050fc61fc7f465791230e401e7c711e37cc9966d038dc4771fefc58b5fb53db83695828b39864561e6fa6b9b38ae409436d62253b03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2040f50bd563e739134c0a6938ff304c

SHA1
917c983678b506baa31da6944bebe89ab200767c

SHA256
dec2eaea00efb2cb01b656f660bca9d456d6d37f5a832f498e1dc3d8f28e71cb

SHA512
8d9414a384681a3de837c4caab595d5b488982262766b804da42715a485e313aba1ebf37ba15dafafff850efc895cd9b92dd1bca87c1d7cc4afc74c9056030a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d40b51cb5cac1bea7e143eb9e8a5d3a

SHA1
bf323891d941d14aeb9e67520e96f09b30d48a12

SHA256
b980e1edb57695706b6b6c6e7ff1908a1ed95c7c558e67de40474c6893adba00

SHA512
638934b20be9af777d230170e55af819cb7d74b2a5218ca21dcfc05ebb5579496d62fe22dceb5801498fc9329dbd0fbc0dddaa1d6812a3d7da97af34a69e46df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d40b51cb5cac1bea7e143eb9e8a5d3a

SHA1
bf323891d941d14aeb9e67520e96f09b30d48a12

SHA256
b980e1edb57695706b6b6c6e7ff1908a1ed95c7c558e67de40474c6893adba00

SHA512
638934b20be9af777d230170e55af819cb7d74b2a5218ca21dcfc05ebb5579496d62fe22dceb5801498fc9329dbd0fbc0dddaa1d6812a3d7da97af34a69e46df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d40b51cb5cac1bea7e143eb9e8a5d3a

SHA1
bf323891d941d14aeb9e67520e96f09b30d48a12

SHA256
b980e1edb57695706b6b6c6e7ff1908a1ed95c7c558e67de40474c6893adba00

SHA512
638934b20be9af777d230170e55af819cb7d74b2a5218ca21dcfc05ebb5579496d62fe22dceb5801498fc9329dbd0fbc0dddaa1d6812a3d7da97af34a69e46df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2db4579f53ec4a4c0b52024d9695ad56

SHA1
7555bac394fb950934c636bbd63e96f33a9dc0fa

SHA256
376f9d2d663912a05b511b506f1343f76d9c03edff869bf79249dd363b52b05f

SHA512
f135afffb00a51efe9c52bf91cab569a78657c52acd96fae9bfa50067bac2e0636b71fa99225741608431e0d2c27763a7a8bc7fa300469fdf0b470e0727b7607

Download Submit
C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat

Filesize
241B

MD5
cb6391df32a9d4da9af0a533b1ac97c9

SHA1
542426e36de1fe7c38decbfc699e3fd3d751ed3a

SHA256
75e588e8cb52c4da4539b02178a3d1a3577c105e57e8488fec4842bf33c52a0d

SHA512
9bc8acf999839a4b0d476914cb78c041c01f1b48e5a9b79d3b2f0241b3361abda4d18f2fff7779d5e6b8b43ba45aefc4d20eb3f605c3603fa2be1d53180b27f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat

Filesize
241B

MD5
d8da85b86917be3e27376d247a5d729a

SHA1
800ef2a33d906c240a94748f80eb7d602b9f2ea3

SHA256
871fb711d777889ea94e9f83916e5abcafc3bf6a36f74d09e93cd5e1517e43f3

SHA512
ca64c1cda935b448992ed4b4e4f8623bde5cda668eca4e573b3456a1bb88483df127400451d430f1554d3418e7aa6397446704cee937a11ac27bc8c56fcae3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mTJ33xL03H.bat

Filesize
241B

MD5
9beef153b28646f49bbc534b69d6350a

SHA1
c1a3c7a35908c345f24c1af59dabaa4fbcdfa7e2

SHA256
cec0b08c5629f85fc1f79f053890e72ccefe4df6381eeee9966430330b15a3c2

SHA512
d37eea1078f6541156ffe0d9b34cf876d178e1e1a8e804374f19c1ed7fa721a26431ed6e8c48558a25d20e37eb150939d80c091d0808e07622a49cf332541034

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/512-366-0x00000160CB410000-0x00000160CB432000-memory.dmp

Filesize
136KB

Download
memory/1840-373-0x000002C49CFB0000-0x000002C49D026000-memory.dmp

Filesize
472KB

Download
memory/2620-153-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-128-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-163-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-164-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-165-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-166-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-167-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-168-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-169-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-171-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-170-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-172-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-173-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-174-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-176-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-177-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-175-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-178-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-179-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-180-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-181-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-120-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-122-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-121-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-182-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-162-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-160-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-159-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-124-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-158-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-157-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-125-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-127-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-140-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-129-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-130-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-156-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-155-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-141-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-154-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-119-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-131-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-139-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-132-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-133-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-152-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-161-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-134-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-135-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-136-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-142-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-137-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-151-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-150-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-149-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-148-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-147-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-146-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-145-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-144-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-138-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-143-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-184-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/4760-185-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/4956-285-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/4956-289-0x0000000002520000-0x000000000252C000-memory.dmp

Filesize
48KB

Download
memory/4956-288-0x0000000002510000-0x000000000251C000-memory.dmp

Filesize
48KB

Download
memory/4956-287-0x00000000023F0000-0x00000000023FC000-memory.dmp

Filesize
48KB

Download
memory/4956-286-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/5160-817-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/5916-872-0x0000000001530000-0x0000000001542000-memory.dmp

Filesize
72KB

Download