dcrat | ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138

Analysis

max time kernel
147s
max time network
153s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02-11-2022 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe
Size

1.3MB
MD5

1ba91bf9dd57860a1c06b74732e50ea8
SHA1

7d1307ff0d4af4a37c69a5feffd54aaf9c590376
SHA256

ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138
SHA512

51308f98be76dcc1e1ac3234121098e34c13871560b12a0d44316d9ebc5acccbff7f0896ed461c2c141f88d679808e985f0642369e7fe6ec98dee1e719ad14fe
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	420	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	96	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	196	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	3176	schtasks.exe	70

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001ac33-280.dat	dcrat
behavioral1/files/0x000600000001ac33-281.dat	dcrat
behavioral1/memory/4820-282-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
behavioral1/files/0x000200000001ac47-779.dat	dcrat
behavioral1/files/0x000200000001ac47-778.dat	dcrat

Executes dropped EXE 2 IoCs

pid	Process
4820	DllCommonsvc.exe
5860	conhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\MiracastView\Assets\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\MiracastView\Assets\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2104	schtasks.exe
2484	schtasks.exe
4292	schtasks.exe
3640	schtasks.exe
2264	schtasks.exe
704	schtasks.exe
4688	schtasks.exe
1376	schtasks.exe
1244	schtasks.exe
668	schtasks.exe
196	schtasks.exe
2824	schtasks.exe
2848	schtasks.exe
4328	schtasks.exe
212	schtasks.exe
2272	schtasks.exe
2304	schtasks.exe
2240	schtasks.exe
3772	schtasks.exe
3760	schtasks.exe
832	schtasks.exe
1676	schtasks.exe
1236	schtasks.exe
592	schtasks.exe
756	schtasks.exe
60	schtasks.exe
4944	schtasks.exe
3572	schtasks.exe
4428	schtasks.exe
804	schtasks.exe
876	schtasks.exe
1116	schtasks.exe
420	schtasks.exe
1364	schtasks.exe
3348	schtasks.exe
4620	schtasks.exe
4920	schtasks.exe
4664	schtasks.exe
4520	schtasks.exe
4680	schtasks.exe
5024	schtasks.exe
4288	schtasks.exe
4552	schtasks.exe
96	schtasks.exe
1260	schtasks.exe
4568	schtasks.exe
4956	schtasks.exe
4364	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
2460	powershell.exe
2460	powershell.exe
2412	powershell.exe
2412	powershell.exe
3832	powershell.exe
3832	powershell.exe
3732	powershell.exe
3732	powershell.exe
4728	powershell.exe
4728	powershell.exe
4720	powershell.exe
4720	powershell.exe
4440	powershell.exe
4440	powershell.exe
3792	powershell.exe
3792	powershell.exe
4772	powershell.exe
4772	powershell.exe
4540	powershell.exe
4540	powershell.exe
5040	powershell.exe
5040	powershell.exe
3880	powershell.exe
3880	powershell.exe
4084	powershell.exe
4084	powershell.exe
2328	powershell.exe
2328	powershell.exe
4880	powershell.exe
4880	powershell.exe
4264	powershell.exe
4264	powershell.exe
4772	powershell.exe
4248	powershell.exe
4248	powershell.exe
5040	powershell.exe
2328	powershell.exe
3732	powershell.exe
2460	powershell.exe
2412	powershell.exe
3832	powershell.exe
4772	powershell.exe
4720	powershell.exe
4728	powershell.exe
4440	powershell.exe
5040	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5860	conhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4820	DllCommonsvc.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeIncreaseQuotaPrivilege	4772	powershell.exe
Token: SeSecurityPrivilege	4772	powershell.exe
Token: SeTakeOwnershipPrivilege	4772	powershell.exe
Token: SeLoadDriverPrivilege	4772	powershell.exe
Token: SeSystemProfilePrivilege	4772	powershell.exe
Token: SeSystemtimePrivilege	4772	powershell.exe
Token: SeProfSingleProcessPrivilege	4772	powershell.exe
Token: SeIncBasePriorityPrivilege	4772	powershell.exe
Token: SeCreatePagefilePrivilege	4772	powershell.exe
Token: SeBackupPrivilege	4772	powershell.exe
Token: SeRestorePrivilege	4772	powershell.exe
Token: SeShutdownPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeSystemEnvironmentPrivilege	4772	powershell.exe
Token: SeRemoteShutdownPrivilege	4772	powershell.exe
Token: SeUndockPrivilege	4772	powershell.exe
Token: SeManageVolumePrivilege	4772	powershell.exe
Token: 33	4772	powershell.exe
Token: 34	4772	powershell.exe
Token: 35	4772	powershell.exe
Token: 36	4772	powershell.exe
Token: SeIncreaseQuotaPrivilege	5040	powershell.exe
Token: SeSecurityPrivilege	5040	powershell.exe
Token: SeTakeOwnershipPrivilege	5040	powershell.exe
Token: SeLoadDriverPrivilege	5040	powershell.exe
Token: SeSystemProfilePrivilege	5040	powershell.exe
Token: SeSystemtimePrivilege	5040	powershell.exe
Token: SeProfSingleProcessPrivilege	5040	powershell.exe
Token: SeIncBasePriorityPrivilege	5040	powershell.exe
Token: SeCreatePagefilePrivilege	5040	powershell.exe
Token: SeBackupPrivilege	5040	powershell.exe
Token: SeRestorePrivilege	5040	powershell.exe
Token: SeShutdownPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeSystemEnvironmentPrivilege	5040	powershell.exe
Token: SeRemoteShutdownPrivilege	5040	powershell.exe
Token: SeUndockPrivilege	5040	powershell.exe
Token: SeManageVolumePrivilege	5040	powershell.exe
Token: 33	5040	powershell.exe
Token: 34	5040	powershell.exe
Token: 35	5040	powershell.exe
Token: 36	5040	powershell.exe
Token: SeIncreaseQuotaPrivilege	3732	powershell.exe
Token: SeSecurityPrivilege	3732	powershell.exe
Token: SeTakeOwnershipPrivilege	3732	powershell.exe
Token: SeLoadDriverPrivilege	3732	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 5072	2772	ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe	66
PID 2772 wrote to memory of 5072	2772	ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe	66
PID 2772 wrote to memory of 5072	2772	ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe	66
PID 5072 wrote to memory of 4260	5072	WScript.exe	67
PID 5072 wrote to memory of 4260	5072	WScript.exe	67
PID 5072 wrote to memory of 4260	5072	WScript.exe	67
PID 4260 wrote to memory of 4820	4260	cmd.exe	69
PID 4260 wrote to memory of 4820	4260	cmd.exe	69
PID 4820 wrote to memory of 2412	4820	DllCommonsvc.exe	119
PID 4820 wrote to memory of 2412	4820	DllCommonsvc.exe	119
PID 4820 wrote to memory of 2460	4820	DllCommonsvc.exe	121
PID 4820 wrote to memory of 2460	4820	DllCommonsvc.exe	121
PID 4820 wrote to memory of 3832	4820	DllCommonsvc.exe	129
PID 4820 wrote to memory of 3832	4820	DllCommonsvc.exe	129
PID 4820 wrote to memory of 3732	4820	DllCommonsvc.exe	128
PID 4820 wrote to memory of 3732	4820	DllCommonsvc.exe	128
PID 4820 wrote to memory of 4720	4820	DllCommonsvc.exe	123
PID 4820 wrote to memory of 4720	4820	DllCommonsvc.exe	123
PID 4820 wrote to memory of 4728	4820	DllCommonsvc.exe	127
PID 4820 wrote to memory of 4728	4820	DllCommonsvc.exe	127
PID 4820 wrote to memory of 4440	4820	DllCommonsvc.exe	130
PID 4820 wrote to memory of 4440	4820	DllCommonsvc.exe	130
PID 4820 wrote to memory of 3792	4820	DllCommonsvc.exe	131
PID 4820 wrote to memory of 3792	4820	DllCommonsvc.exe	131
PID 4820 wrote to memory of 4772	4820	DllCommonsvc.exe	133
PID 4820 wrote to memory of 4772	4820	DllCommonsvc.exe	133
PID 4820 wrote to memory of 5040	4820	DllCommonsvc.exe	134
PID 4820 wrote to memory of 5040	4820	DllCommonsvc.exe	134
PID 4820 wrote to memory of 4540	4820	DllCommonsvc.exe	143
PID 4820 wrote to memory of 4540	4820	DllCommonsvc.exe	143
PID 4820 wrote to memory of 3880	4820	DllCommonsvc.exe	136
PID 4820 wrote to memory of 3880	4820	DllCommonsvc.exe	136
PID 4820 wrote to memory of 2328	4820	DllCommonsvc.exe	137
PID 4820 wrote to memory of 2328	4820	DllCommonsvc.exe	137
PID 4820 wrote to memory of 4084	4820	DllCommonsvc.exe	138
PID 4820 wrote to memory of 4084	4820	DllCommonsvc.exe	138
PID 4820 wrote to memory of 4880	4820	DllCommonsvc.exe	152
PID 4820 wrote to memory of 4880	4820	DllCommonsvc.exe	152
PID 4820 wrote to memory of 4264	4820	DllCommonsvc.exe	147
PID 4820 wrote to memory of 4264	4820	DllCommonsvc.exe	147
PID 4820 wrote to memory of 4248	4820	DllCommonsvc.exe	148
PID 4820 wrote to memory of 4248	4820	DllCommonsvc.exe	148
PID 4820 wrote to memory of 4520	4820	DllCommonsvc.exe	153
PID 4820 wrote to memory of 4520	4820	DllCommonsvc.exe	153
PID 4520 wrote to memory of 4668	4520	cmd.exe	155
PID 4520 wrote to memory of 4668	4520	cmd.exe	155
PID 4520 wrote to memory of 5860	4520	cmd.exe	157
PID 4520 wrote to memory of 5860	4520	cmd.exe	157

C:\Users\Admin\AppData\Local\Temp\ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe
"C:\Users\Admin\AppData\Local\Temp\ff48aed2349d516fdb48004d22b9a566f4e399019898ed561330658ad1137138.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\MiracastView\Assets\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\setup\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYTZXVMp1c.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4520
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4668
      - C:\Program Files (x86)\Windows Mail\en-US\conhost.exe
        
        "C:\Program Files (x86)\Windows Mail\en-US\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:5860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\en-US\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\MiracastView\Assets\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:96

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\MiracastView\Assets\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\MiracastView\Assets\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Mail\en-US\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Mail\en-US\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
385c0b049c4679e87f4ffa3737086469

SHA1
9f4eaf07814e112973bff6e2423f1f75f4a94630

SHA256
9164357803ac10fd009c75498f35c1b30e18deee6d04d1e77161be11a854824d

SHA512
f7102be5561c42a1e59ceef6a9fa79074c616d9364473fed5ba3250886005de06d4951e733b7a4538d31dac042250a041028cf581a14c78adec9400ec0328b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
872e125fdf348bfe7b638e0e75aa452c

SHA1
1f51e8d59fe2a012eab3bb7ad263609ad44e6dcf

SHA256
6b5fdf325de5b616535d24273b414ae835c8f6f9f99b71a745d9584aa764ddf8

SHA512
80f87fcb231500cae6822f12fbdc5c1ae8b3feac7ba7b058624c1225d249eacee9b8587b8a2a0e394f46d4f1799db987e7d9354b11f12713d4666274e2c8131b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
550b0abf5876ec5bdde1d01096ad22a1

SHA1
e94ed3ab6915e11f142505e4a2ecf9ebee3e7bef

SHA256
c3ee128523d3b8413e498aa89abcd4f2fd74a74ed2a6b5aaed3bf980851f29f7

SHA512
afd8cca40e6d812a48793d4e2573330e8012e2634676fe98d5d941935ad1406d5c0106771183007ffd98458c98e5cf30c729981bc08a07bc0b02446a043371eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aae132d87bada24f9005aa943cd41c38

SHA1
27ac7f46e309f74e84d4f2ddda2b598a6a5a7bf7

SHA256
7d17b6e19af2793afb56252831cf65d3794e2cf736cf6984deb414e2eb36837e

SHA512
2c15c5ede8dc68ca9cca5885a41f23110c3409a0f36db49ab95f58794d86579b3563e4ed777efb9d8eb42aa493c7a0fb83fb2f9ff5413a89d962c670677bee41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aae132d87bada24f9005aa943cd41c38

SHA1
27ac7f46e309f74e84d4f2ddda2b598a6a5a7bf7

SHA256
7d17b6e19af2793afb56252831cf65d3794e2cf736cf6984deb414e2eb36837e

SHA512
2c15c5ede8dc68ca9cca5885a41f23110c3409a0f36db49ab95f58794d86579b3563e4ed777efb9d8eb42aa493c7a0fb83fb2f9ff5413a89d962c670677bee41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38d9f0ac6b2882dd10c20c36ee2ef177

SHA1
68edff5742314057da7733824a4d080837bbfbce

SHA256
a75bec48e18c9a15d708fde1dae05f1304e9b7ea75081f03bac73f7d625462bc

SHA512
36eb7c3c7833fbd381b21098cb07d8278f7f1efa728663f3714ef552cb0f8e9f17b70c5121537a63b35763d034170ac7176dbb14347a424172b6eb7152385967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
53f6740d8cf16f638b9b8cd9b2d1021a

SHA1
79f632ac491cf97975f80e742abb1be1c1a7161a

SHA256
ff91ee32c8028f016d1697242ae6d563e361c13ad181f6a2b0fbb72cec0b3148

SHA512
245f9b08b8872757b93b287c8d2cd8d26c62d07daa22a4e5e7b6c999c745ac5dc835b5a2094da5f85f5efc8d33fdd780d9ac11fc720d0d7fb80b511ae847beed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4037e78e7ccc7ead97a217e161dbaa8e

SHA1
e13db9d8e12f972faa6544b41df506fb33d99c95

SHA256
d99578c68faf04ad05716fbdc27e1cdc39f950e63cbc52b874815bb0b9250789

SHA512
9ac7be499721d5b76f6293524b750da19b1cedc009b13ce1bff09fe1a54ed0e09be11766be67c9cdceebf93ceb57ae4cadae399b65f376ef6773995c88245e04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4037e78e7ccc7ead97a217e161dbaa8e

SHA1
e13db9d8e12f972faa6544b41df506fb33d99c95

SHA256
d99578c68faf04ad05716fbdc27e1cdc39f950e63cbc52b874815bb0b9250789

SHA512
9ac7be499721d5b76f6293524b750da19b1cedc009b13ce1bff09fe1a54ed0e09be11766be67c9cdceebf93ceb57ae4cadae399b65f376ef6773995c88245e04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dc82582ac3e575a21c76bffe939c5edf

SHA1
2a96629f348c947e3acbaf1b213e73b8890f543f

SHA256
9ab617e03c1d5d5a3cbe5f0c3fcb204eb926723b828f4ff4ceb640c6c061592c

SHA512
f4e61c7c3a33abf44ab9aadae6c2fef0e92272a41ced750ef0125d532d461a28bc14471ea1d1816136418b602535c5812c2d71543f7f134b2474c1166bc6f5a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a2f9993e45ce9a23a0f9de44cc1495c

SHA1
71ac0113393305e51d7c7bf8edd7b9a2c5ba0727

SHA256
0c06f08dc407ce42d61d6a57f8158c30c9f1f7d0dc2439e848c4d91c61240804

SHA512
d0666d189188f7b18f429f8d119246bd578121708ef29142bf73ae50837d422508d718b9fdc0f25acacc0573728ae990350a4bb32fd62c2387c9aa98b20d72bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a2f9993e45ce9a23a0f9de44cc1495c

SHA1
71ac0113393305e51d7c7bf8edd7b9a2c5ba0727

SHA256
0c06f08dc407ce42d61d6a57f8158c30c9f1f7d0dc2439e848c4d91c61240804

SHA512
d0666d189188f7b18f429f8d119246bd578121708ef29142bf73ae50837d422508d718b9fdc0f25acacc0573728ae990350a4bb32fd62c2387c9aa98b20d72bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a2f9993e45ce9a23a0f9de44cc1495c

SHA1
71ac0113393305e51d7c7bf8edd7b9a2c5ba0727

SHA256
0c06f08dc407ce42d61d6a57f8158c30c9f1f7d0dc2439e848c4d91c61240804

SHA512
d0666d189188f7b18f429f8d119246bd578121708ef29142bf73ae50837d422508d718b9fdc0f25acacc0573728ae990350a4bb32fd62c2387c9aa98b20d72bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
29c6bfd09c11baaf764426330954d7a1

SHA1
b89c8daa537f3bdcd290c5872f651d2f5b1580e7

SHA256
ed020b675aa8d18a86d433365722d236d31c85877dbc4a8b951da0d15b5eb0f0

SHA512
b33d2bb70bce42ccb7e992cc8e3aa4239e68d218aa8a8fdda01d2055fbb45abf4e5a6c2ec5b2224e87c4ad651bd98dade191820f5e6bd15f5511803e860a391f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
29c6bfd09c11baaf764426330954d7a1

SHA1
b89c8daa537f3bdcd290c5872f651d2f5b1580e7

SHA256
ed020b675aa8d18a86d433365722d236d31c85877dbc4a8b951da0d15b5eb0f0

SHA512
b33d2bb70bce42ccb7e992cc8e3aa4239e68d218aa8a8fdda01d2055fbb45abf4e5a6c2ec5b2224e87c4ad651bd98dade191820f5e6bd15f5511803e860a391f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3d51ff04b56efcd69cde1f3de847b957

SHA1
b79144c1766e1336dc4511ffa427a1c7b31169f1

SHA256
c894ad50c541312b3b4baa375c12573b8390bda199c59c0068f548d247a9fc6f

SHA512
8460ae5037dd614faeaad593fb52e5c6ddf057353bf3e023843b6081cc98decd65e01fab89ff452fca61fe0b9e83f04ebf3b89dcb6c60ac9a578585300a0ed95

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYTZXVMp1c.bat

Filesize
218B

MD5
b718d22c6682ccd9fdbbf7f69b25c113

SHA1
36823b0e5b3aa9eab49af56de4f893cf7c595ec7

SHA256
576158b2d42bf2b48b110a3a897b5716ed0e433acb9a40b72bf5704787dadcea

SHA512
7e7ec599c4cd87c8f9f40bcd190d22505bd0f33f299f347007d27623fa9e650e09997f233458dc04829e859627de5e25db4e676a4d3d7e5997ea1f54b7e25c28

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2328-310-0x0000000000000000-mapping.dmp

Download
memory/2412-287-0x0000000000000000-mapping.dmp

Download
memory/2460-369-0x0000026CDC800000-0x0000026CDC822000-memory.dmp

Filesize
136KB

Download
memory/2460-288-0x0000000000000000-mapping.dmp

Download
memory/2772-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-116-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-117-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-118-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-290-0x0000000000000000-mapping.dmp

Download
memory/3792-294-0x0000000000000000-mapping.dmp

Download
memory/3832-289-0x0000000000000000-mapping.dmp

Download
memory/3880-306-0x0000000000000000-mapping.dmp

Download
memory/4084-312-0x0000000000000000-mapping.dmp

Download
memory/4248-325-0x0000000000000000-mapping.dmp

Download
memory/4260-256-0x0000000000000000-mapping.dmp

Download
memory/4264-320-0x0000000000000000-mapping.dmp

Download
memory/4440-293-0x0000000000000000-mapping.dmp

Download
memory/4520-356-0x0000000000000000-mapping.dmp

Download
memory/4540-302-0x0000000000000000-mapping.dmp

Download
memory/4668-398-0x0000000000000000-mapping.dmp

Download
memory/4720-291-0x0000000000000000-mapping.dmp

Download
memory/4728-292-0x0000000000000000-mapping.dmp

Download
memory/4772-297-0x0000000000000000-mapping.dmp

Download
memory/4772-393-0x0000028EF23D0000-0x0000028EF2446000-memory.dmp

Filesize
472KB

Download
memory/4820-286-0x00000000008E0000-0x00000000008EC000-memory.dmp

Filesize
48KB

Download
memory/4820-285-0x00000000008D0000-0x00000000008DC000-memory.dmp

Filesize
48KB

Download
memory/4820-284-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/4820-283-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/4820-282-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/4820-279-0x0000000000000000-mapping.dmp

Download
memory/4880-316-0x0000000000000000-mapping.dmp

Download
memory/5040-299-0x0000000000000000-mapping.dmp

Download
memory/5072-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/5072-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/5072-180-0x0000000000000000-mapping.dmp

Download
memory/5860-761-0x0000000000000000-mapping.dmp

Download
memory/5860-830-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

Filesize
72KB

Download