dcrat | f223f7de0fdbe42a13a91e7cfa764febfe4fd6e999074e41f26682ccec8744d6

Analysis

max time kernel
19s
max time network
89s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f223f7de0fdbe42a13a91e7cfa764febfe4fd6e999074e41f26682ccec8744d6.exe
Size

1.3MB
MD5

0016098d653cbbb5e7b59e4516c9c9d1
SHA1

4e4e4e2c069e4980e1a1cc9bff9408d2ab68722f
SHA256

f223f7de0fdbe42a13a91e7cfa764febfe4fd6e999074e41f26682ccec8744d6
SHA512

4b5b488fed47d44d1f4329f0bfc16c86495f76717223fef858f773ef90ed3a7a40464d799f4ec1ed8ca836fd40641ffb6ad09ba5b5f45dbb70a6324c996d902d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	96	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	3260	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	3260	schtasks.exe	70

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001abfd-284.dat	dcrat
behavioral1/files/0x000800000001abfd-285.dat	dcrat
behavioral1/memory/4728-286-0x0000000000880000-0x0000000000990000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac38-536.dat	dcrat
behavioral1/files/0x000600000001ac38-534.dat	dcrat
behavioral1/files/0x000600000001ac38-920.dat	dcrat
behavioral1/files/0x000600000001ac38-948.dat	dcrat

Executes dropped EXE 1 IoCs

pid	Process
4728	DllCommonsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\services.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\ELAMBKUP\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\Logs\HomeGroup\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Logs\HomeGroup\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\ELAMBKUP\spoolsv.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4996	schtasks.exe
4900	schtasks.exe
2756	schtasks.exe
4848	schtasks.exe
4808	schtasks.exe
4692	schtasks.exe
2996	schtasks.exe
3968	schtasks.exe
1252	schtasks.exe
3192	schtasks.exe
5032	schtasks.exe
4252	schtasks.exe
4964	schtasks.exe
208	schtasks.exe
2140	schtasks.exe
4984	schtasks.exe
2720	schtasks.exe
4216	schtasks.exe
4908	schtasks.exe
4708	schtasks.exe
1124	schtasks.exe
4792	schtasks.exe
4088	schtasks.exe
3316	schtasks.exe
3832	schtasks.exe
2196	schtasks.exe
3728	schtasks.exe
1776	schtasks.exe
648	schtasks.exe
4176	schtasks.exe
3888	schtasks.exe
4888	schtasks.exe
4660	schtasks.exe
784	schtasks.exe
4184	schtasks.exe
3712	schtasks.exe
4928	schtasks.exe
4672	schtasks.exe
96	schtasks.exe
4688	schtasks.exe
664	schtasks.exe
4236	schtasks.exe
4124	schtasks.exe
3852	schtasks.exe
4968	schtasks.exe
2976	schtasks.exe
316	schtasks.exe
2064	schtasks.exe
1040	schtasks.exe
4280	schtasks.exe
4656	schtasks.exe
1496	schtasks.exe
1744	schtasks.exe
960	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	f223f7de0fdbe42a13a91e7cfa764febfe4fd6e999074e41f26682ccec8744d6.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4728	DllCommonsvc.exe
4728	DllCommonsvc.exe
4728	DllCommonsvc.exe
4728	DllCommonsvc.exe
4728	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4728	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1936	2204	f223f7de0fdbe42a13a91e7cfa764febfe4fd6e999074e41f26682ccec8744d6.exe	66
PID 2204 wrote to memory of 1936	2204	f223f7de0fdbe42a13a91e7cfa764febfe4fd6e999074e41f26682ccec8744d6.exe	66
PID 2204 wrote to memory of 1936	2204	f223f7de0fdbe42a13a91e7cfa764febfe4fd6e999074e41f26682ccec8744d6.exe	66
PID 1936 wrote to memory of 3048	1936	WScript.exe	67
PID 1936 wrote to memory of 3048	1936	WScript.exe	67
PID 1936 wrote to memory of 3048	1936	WScript.exe	67
PID 3048 wrote to memory of 4728	3048	cmd.exe	69
PID 3048 wrote to memory of 4728	3048	cmd.exe	69

C:\Users\Admin\AppData\Local\Temp\f223f7de0fdbe42a13a91e7cfa764febfe4fd6e999074e41f26682ccec8744d6.exe
"C:\Users\Admin\AppData\Local\Temp\f223f7de0fdbe42a13a91e7cfa764febfe4fd6e999074e41f26682ccec8744d6.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        
        PID:1848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
        5⤵
        
        PID:1768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\services.exe'
        5⤵
        
        PID:3948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ELAMBKUP\spoolsv.exe'
        5⤵
        
        PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        5⤵
        
        PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\fontdrvhost.exe'
        5⤵
        
        PID:1008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\HomeGroup\conhost.exe'
        5⤵
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        5⤵
        
        PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        
        PID:4920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\RuntimeBroker.exe'
        5⤵
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
        5⤵
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        
        PID:3572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
        5⤵
        
        PID:5080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        
        PID:3816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'
        5⤵
        
        PID:4128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        
        PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\Registration\taskhostw.exe'
        5⤵
        
        PID:436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        
        PID:3584
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NK82PBfYOI.bat"
        5⤵
        
        PID:528
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4968
      - C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        6⤵
        
        PID:5040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"
        7⤵
        
        PID:5388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5128
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        8⤵
        
        PID:5140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat"
        9⤵
        
        PID:5808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:5788
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        10⤵
        
        PID:648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat"
        11⤵
        
        PID:5088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:908
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        12⤵
        
        PID:5612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\ELAMBKUP\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ELAMBKUP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\ELAMBKUP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\HomeGroup\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\HomeGroup\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:96

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\odt\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
10f2421e109e1e6bca9231d813e21bb4

SHA1
b3fd29bc67665377ae54fcf18f8b8952a02399c0

SHA256
e1c99e60e35fe639a5fc8c017fb7e0a5c37f6c5095b05b58ae83fbf5f006d759

SHA512
169ff037893b24ac39bec1905bc29d0769105b54e03f9f027f71c0f4e81e1387951012e01fa4388d6b27ad2f2ccbbf619c2ae29c5b6a4a3d463ef461e93ec824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7b43c98167aa8c99fa67c2c2afba3f69

SHA1
9be7a5effb710e0add88664889dbc1a7ae855b3d

SHA256
552178d6b2cd9a8de5419b80e10af540462a8d77edb4650722676fae4471752a

SHA512
60fb5c7e4f815235260258894d6416c237760e8b5dad4b4ad99becc35f95e023be13d1861e8a16fedddafa4145e22a9ae5623215bc44b88a7e5844112e9aff2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4c21f457fa28ece48a7a83304462c067

SHA1
642b586afce5ff62924e558bc6343e27c7d20ba2

SHA256
492b39a0bb6d925b2654fce80a6cb2af1e630d60b131c3644e177fa77a947585

SHA512
502430583ed20497d71d8bae79c152283ef41e8e09f592f7fb593fe5e886a93678d684194c26666dd0acac10a362c7ee161b9ce1b8f882b64a186447bf91a714

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a84032a28400bd665b35fff05f868706

SHA1
bf7fe6bd53c1b3fc0f3cfa5f88a2056c8bed6a4e

SHA256
f0a22a0847d0167e3566b5b63a7c1e1daaaa91c1e01b32cb8397910d3e9f695c

SHA512
8dbcb75c76ed462943649e00efd0d1e52f9875d5bc540f5d6d6b4478b8ba97cd4c0983cc037fe71ca991e655e89b887c213af577d52e0fb6afd263904118391e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
24893de1d8dede290e979096bd5b2686

SHA1
e1dbcb19f647068e881b8910a4b454b78856eafa

SHA256
1b6746ba8c8837931cfdce7acb573bb04584e9659716e4016bf596ff7450e136

SHA512
14a5145ee618239a6cf781e41cb553d8a2bc8fa4382efca42f3f3d19ac7e74d0425f1564013a879766a704fcbb23e564e2b250a3b5685e6083b16e705d278ed8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59b6b371e43956207138e57f231b92fe

SHA1
f41efa1f8270b4b6b04cf4e0361020154ba93771

SHA256
87c0782193ecb7f10e647573f4fdd44a5cfbd92e42a6426836cfde018e9059d7

SHA512
3696f327045b415a077945b673c8c49b87d7faf22dbd87e40ad520f9b21cff2b101d8ebd7924eeb476c051f9d442c501ac49440067e18a468795422b96a42509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bad22f29a42a224a14d3d41a50bea2a7

SHA1
ee1c72c7fcc3313503e703bb1f188c7152d1a4e3

SHA256
7a17a13a9e5ce953004429df0924b2711e4c2115aaefa38dcefc52c1833a12b4

SHA512
0294deed62e263f399ddb387844f9489f7b43c7d487f3ce24b7e4c008580c89ecf95bc654d7aa96f373e2ad0a88ca283d9c58967e1ed63a62308d7b653a14767

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bad22f29a42a224a14d3d41a50bea2a7

SHA1
ee1c72c7fcc3313503e703bb1f188c7152d1a4e3

SHA256
7a17a13a9e5ce953004429df0924b2711e4c2115aaefa38dcefc52c1833a12b4

SHA512
0294deed62e263f399ddb387844f9489f7b43c7d487f3ce24b7e4c008580c89ecf95bc654d7aa96f373e2ad0a88ca283d9c58967e1ed63a62308d7b653a14767

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
483a364de437c7394032827766f4504c

SHA1
59aacc4fc8dc84fa692802087de4360a4601a34b

SHA256
110e5fc129fbb693d6ade2202bdbec82a81ab79480173518cc78ac92c54735d1

SHA512
c7564d3926daf4b9a790e0e39732e935ce5f6b73167958a017624f27522da078ff93a74afab304a82070d9c381184b4aac379d319742cf4ae922d6289739637a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
483a364de437c7394032827766f4504c

SHA1
59aacc4fc8dc84fa692802087de4360a4601a34b

SHA256
110e5fc129fbb693d6ade2202bdbec82a81ab79480173518cc78ac92c54735d1

SHA512
c7564d3926daf4b9a790e0e39732e935ce5f6b73167958a017624f27522da078ff93a74afab304a82070d9c381184b4aac379d319742cf4ae922d6289739637a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
808ae890a73b4d742a4e957c5411b932

SHA1
e2c2a8d9fa5c38517762a3ce1effa73e103bdbec

SHA256
27673f382c306e058796ada5c5876f0aba6f73d44714d2a0f9325d03e3610410

SHA512
289085dd60ce20f3b158ec03d2c868e0e0b9ad3f800247f9719ea31a8090b0df3aa49f571cf4f04092f5c07a856207e0de17b377764ade78b298d12a399441d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0b3464102bdbadc6766614107b030f40

SHA1
d80270b0c673d5073ca01dcc1c2a36579deb2fa7

SHA256
c0794a918674ead25e7f081aeb65772879d8184cca46d753f6c6ec2674bfa9cd

SHA512
3abaa4b11ca11b2781e328f2c918b8f637deefada504ac4ff9a7f4795462fdfc4d1054225bed434283985269bc4826fc6f348a50d40574c9727aab82f1e0068b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cc2aa2bcb7ac5cad1f2ca76506f25e76

SHA1
4d45f8b4abce208312e945dae484c166c1793631

SHA256
448e856618366db839258ae5eca7a83d4cc61ebb28a1a5ffcc26c8e4598db1b3

SHA512
4deb954157fd1ede11d492d06d4c1c700d90bbaee54d06879f7f0a0c3788bea93dea6e759273e4ffc6497f25522c7689b18588ca1aca168e196bf6675ffb8b37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cc2aa2bcb7ac5cad1f2ca76506f25e76

SHA1
4d45f8b4abce208312e945dae484c166c1793631

SHA256
448e856618366db839258ae5eca7a83d4cc61ebb28a1a5ffcc26c8e4598db1b3

SHA512
4deb954157fd1ede11d492d06d4c1c700d90bbaee54d06879f7f0a0c3788bea93dea6e759273e4ffc6497f25522c7689b18588ca1aca168e196bf6675ffb8b37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a4debce69c67e7c53075a6539c5ecfaf

SHA1
6c68752ccb3be93f60643bedff0bf120759fe96f

SHA256
e469a01f898dc9ff03530fb1e69a7718c5132b5375b93f7b2c0eb86aee3a7b02

SHA512
a39427b54d6323342c63e58f0df3de71df6f9719653e7976857b1162cb45e63018763d0674985a28b09efb2e273dc4193d14dc774652ae53bfcf9a814c9bbf7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2bffa79c48ebabc8261a8bfe031e11d7

SHA1
b82d74018d6d0aa8906e41e9766d6d6fa4d17f46

SHA256
252e76fbe6501375a2ada7db9a7a70c30d7f23fefb1b586bc2f4de24f82e80d5

SHA512
e1c65ad3c4811d367d26a99ac39b1a13c67c57f3205e5ee4a8c9ca7f4410ad052c38e3c084588cc2b4072b5a27237745bc3bcd45fe1247d40f7049b5f2a87d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat

Filesize
196B

MD5
e8a68a0f4d8bb0efdd1bb7646122c776

SHA1
991581c70476237a29a632677617cad3ff2f0f38

SHA256
db3896a529d9f41415badb09516355fcd81b2e2ec603692630e67ef248a20dbe

SHA512
185b4fa789d26b806daed4c2fe4e0db3e367f519027e27cdc7c5b06df729fdcc78da3b012e4dc552632ec07c0d1d02b89b084b80c96576cb001fb2c1fb68d95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NK82PBfYOI.bat

Filesize
196B

MD5
e8b7c44aea107ddb7cb858de60b13eb4

SHA1
827ac28972c641c94efa66f55d2f9990d12d3a44

SHA256
631b9959148993e4c3b1bcc48173e47385ae5345d3dba72cc4a108ea81ab3437

SHA512
a290846021891e09a0dbb564c82ef63076116ee3b90de2d0eb674a54364e0dae6de84e749cf9d80f45a4a03549be775ecd80ee69e373d966353dd2d11f88dff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat

Filesize
196B

MD5
c481dafa3c88cc91a1f130e8be814997

SHA1
4095e043caa213c0ac42666b7e244591ebdc3a11

SHA256
12995a01223839eb28fd93e5b29c25c8f411f72e1266cb1fc0c93e2caf9e3446

SHA512
54442436981b5c612738bcfa70871078e402bbaf64570194f278438559e7cc7604d514fc9072fe95789888e6e2f18205d5f96f10e40d6f9ad05157ecd982fc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat

Filesize
196B

MD5
58282f0fa565c3ff9d7bba20d08da8e9

SHA1
75ff0b49f452f4f15f0962c820d8369046d77617

SHA256
72664867ca0392621ec6c96d63b12655c523791d5e61c9edb3e9b578bd6ef148

SHA512
59198d063d79c59973271e4ba546e47365f05a9d187efea876a45a33a8eb0cc3935a759899c99008583fb5b376b194edc6fa697ec8a505736de654f5308b4364

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1768-383-0x0000013052420000-0x0000013052442000-memory.dmp

Filesize
136KB

Download
memory/1936-185-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1936-186-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-155-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-129-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-166-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-167-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-168-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-169-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-171-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-172-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-170-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-173-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-174-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-175-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-176-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-177-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-178-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-179-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-180-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-181-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-182-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-183-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-164-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-163-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-162-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-161-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-160-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-121-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-122-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-159-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-158-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-123-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-125-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-126-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-128-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-146-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-145-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-130-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-131-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-144-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-147-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-132-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-133-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-157-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-134-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-156-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-135-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-165-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-120-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-154-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-136-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-137-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-138-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-139-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-152-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-153-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-151-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-150-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-140-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-141-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-142-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-149-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-148-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2204-143-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4128-411-0x0000021B39160000-0x0000021B391D6000-memory.dmp

Filesize
472KB

Download
memory/4728-290-0x0000000002A10000-0x0000000002A1C000-memory.dmp

Filesize
48KB

Download
memory/4728-286-0x0000000000880000-0x0000000000990000-memory.dmp

Filesize
1.1MB

Download
memory/4728-287-0x00000000029F0000-0x0000000002A02000-memory.dmp

Filesize
72KB

Download
memory/4728-288-0x0000000002A00000-0x0000000002A0C000-memory.dmp

Filesize
48KB

Download
memory/4728-289-0x000000001BED0000-0x000000001BEDC000-memory.dmp

Filesize
48KB

Download