dcrat | a53e5fc9e6c345fce0576de406be54d92b094d87e0f277a6c8fc1e43870b4212

Analysis

max time kernel
144s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2022, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a53e5fc9e6c345fce0576de406be54d92b094d87e0f277a6c8fc1e43870b4212.exe
Size

1.3MB
MD5

39e84967f09e97e919740a9f100535cd
SHA1

ad6bd5286acdb545ec27a50101f2fd874b655aa6
SHA256

a53e5fc9e6c345fce0576de406be54d92b094d87e0f277a6c8fc1e43870b4212
SHA512

507d1f20a3f30b7fbd6f6d28de4b3a29a6e5ebb65daf03cb315da8ef1ce931e8ab1b2d51f9462a1408328c95cd52ce266e4c2131ecb4e35d8b08c6269c6cb29e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	424	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	312	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	1348	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	1348	schtasks.exe	39

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0002000000022df0-137.dat	dcrat
behavioral1/files/0x0002000000022df0-138.dat	dcrat
behavioral1/memory/4548-139-0x0000000000630000-0x0000000000740000-memory.dmp	dcrat
behavioral1/files/0x0002000000022df4-196.dat	dcrat
behavioral1/files/0x0002000000022df4-195.dat	dcrat
behavioral1/files/0x0002000000022df4-203.dat	dcrat
behavioral1/files/0x0002000000022df4-211.dat	dcrat
behavioral1/files/0x0002000000022df4-218.dat	dcrat
behavioral1/files/0x0002000000022df4-225.dat	dcrat
behavioral1/files/0x0002000000022df4-232.dat	dcrat
behavioral1/files/0x0002000000022df4-239.dat	dcrat
behavioral1/files/0x0002000000022df4-246.dat	dcrat
behavioral1/files/0x0002000000022df4-253.dat	dcrat

Executes dropped EXE 10 IoCs

pid	Process
4548	DllCommonsvc.exe
3312	dwm.exe
1148	dwm.exe
384	dwm.exe
4120	dwm.exe
844	dwm.exe
4220	dwm.exe
1556	dwm.exe
2088	dwm.exe
4592	dwm.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	a53e5fc9e6c345fce0576de406be54d92b094d87e0f277a6c8fc1e43870b4212.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dwm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\fontdrvhost.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\System.exe	DllCommonsvc.exe
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\Cursors\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\System.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1996	schtasks.exe
112	schtasks.exe
312	schtasks.exe
4080	schtasks.exe
3664	schtasks.exe
3036	schtasks.exe
4244	schtasks.exe
752	schtasks.exe
2184	schtasks.exe
1660	schtasks.exe
3740	schtasks.exe
4624	schtasks.exe
4328	schtasks.exe
2920	schtasks.exe
116	schtasks.exe
1884	schtasks.exe
1496	schtasks.exe
4996	schtasks.exe
2860	schtasks.exe
1836	schtasks.exe
4572	schtasks.exe
4752	schtasks.exe
4788	schtasks.exe
712	schtasks.exe
4376	schtasks.exe
528	schtasks.exe
1820	schtasks.exe
4604	schtasks.exe
3848	schtasks.exe
3724	schtasks.exe
424	schtasks.exe
3040	schtasks.exe
4072	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	a53e5fc9e6c345fce0576de406be54d92b094d87e0f277a6c8fc1e43870b4212.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
4548	DllCommonsvc.exe
3144	powershell.exe
1168	powershell.exe
1168	powershell.exe
1732	powershell.exe
1732	powershell.exe
4084	powershell.exe
4084	powershell.exe
3256	powershell.exe
3256	powershell.exe
2868	powershell.exe
2868	powershell.exe
4884	powershell.exe
4884	powershell.exe
4516	powershell.exe
4516	powershell.exe
3504	powershell.exe
3504	powershell.exe
2428	powershell.exe
2428	powershell.exe
5092	powershell.exe
5092	powershell.exe
4188	powershell.exe
4188	powershell.exe
4884	powershell.exe
4188	powershell.exe
5092	powershell.exe
3144	powershell.exe
3144	powershell.exe
4084	powershell.exe
1168	powershell.exe
1168	powershell.exe
3256	powershell.exe
1732	powershell.exe
1732	powershell.exe
2868	powershell.exe
4516	powershell.exe
3504	powershell.exe
2428	powershell.exe
3312	dwm.exe
1148	dwm.exe
384	dwm.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4548	DllCommonsvc.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	3312	dwm.exe
Token: SeDebugPrivilege	1148	dwm.exe
Token: SeDebugPrivilege	384	dwm.exe
Token: SeDebugPrivilege	4120	dwm.exe
Token: SeDebugPrivilege	844	dwm.exe
Token: SeDebugPrivilege	4220	dwm.exe
Token: SeDebugPrivilege	1556	dwm.exe
Token: SeDebugPrivilege	2088	dwm.exe
Token: SeDebugPrivilege	4592	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 4860	4712	a53e5fc9e6c345fce0576de406be54d92b094d87e0f277a6c8fc1e43870b4212.exe	80
PID 4712 wrote to memory of 4860	4712	a53e5fc9e6c345fce0576de406be54d92b094d87e0f277a6c8fc1e43870b4212.exe	80
PID 4712 wrote to memory of 4860	4712	a53e5fc9e6c345fce0576de406be54d92b094d87e0f277a6c8fc1e43870b4212.exe	80
PID 4860 wrote to memory of 5020	4860	WScript.exe	81
PID 4860 wrote to memory of 5020	4860	WScript.exe	81
PID 4860 wrote to memory of 5020	4860	WScript.exe	81
PID 5020 wrote to memory of 4548	5020	cmd.exe	83
PID 5020 wrote to memory of 4548	5020	cmd.exe	83
PID 4548 wrote to memory of 3144	4548	DllCommonsvc.exe	117
PID 4548 wrote to memory of 3144	4548	DllCommonsvc.exe	117
PID 4548 wrote to memory of 1168	4548	DllCommonsvc.exe	118
PID 4548 wrote to memory of 1168	4548	DllCommonsvc.exe	118
PID 4548 wrote to memory of 3256	4548	DllCommonsvc.exe	120
PID 4548 wrote to memory of 3256	4548	DllCommonsvc.exe	120
PID 4548 wrote to memory of 4084	4548	DllCommonsvc.exe	121
PID 4548 wrote to memory of 4084	4548	DllCommonsvc.exe	121
PID 4548 wrote to memory of 1732	4548	DllCommonsvc.exe	126
PID 4548 wrote to memory of 1732	4548	DllCommonsvc.exe	126
PID 4548 wrote to memory of 2868	4548	DllCommonsvc.exe	125
PID 4548 wrote to memory of 2868	4548	DllCommonsvc.exe	125
PID 4548 wrote to memory of 4516	4548	DllCommonsvc.exe	124
PID 4548 wrote to memory of 4516	4548	DllCommonsvc.exe	124
PID 4548 wrote to memory of 3504	4548	DllCommonsvc.exe	139
PID 4548 wrote to memory of 3504	4548	DllCommonsvc.exe	139
PID 4548 wrote to memory of 4884	4548	DllCommonsvc.exe	130
PID 4548 wrote to memory of 4884	4548	DllCommonsvc.exe	130
PID 4548 wrote to memory of 2428	4548	DllCommonsvc.exe	132
PID 4548 wrote to memory of 2428	4548	DllCommonsvc.exe	132
PID 4548 wrote to memory of 4188	4548	DllCommonsvc.exe	134
PID 4548 wrote to memory of 4188	4548	DllCommonsvc.exe	134
PID 4548 wrote to memory of 5092	4548	DllCommonsvc.exe	135
PID 4548 wrote to memory of 5092	4548	DllCommonsvc.exe	135
PID 4548 wrote to memory of 2088	4548	DllCommonsvc.exe	141
PID 4548 wrote to memory of 2088	4548	DllCommonsvc.exe	141
PID 2088 wrote to memory of 3040	2088	cmd.exe	143
PID 2088 wrote to memory of 3040	2088	cmd.exe	143
PID 2088 wrote to memory of 3312	2088	cmd.exe	145
PID 2088 wrote to memory of 3312	2088	cmd.exe	145
PID 3312 wrote to memory of 1888	3312	dwm.exe	151
PID 3312 wrote to memory of 1888	3312	dwm.exe	151
PID 1888 wrote to memory of 4404	1888	cmd.exe	154
PID 1888 wrote to memory of 4404	1888	cmd.exe	154
PID 1888 wrote to memory of 1148	1888	cmd.exe	155
PID 1888 wrote to memory of 1148	1888	cmd.exe	155
PID 1148 wrote to memory of 3144	1148	dwm.exe	156
PID 1148 wrote to memory of 3144	1148	dwm.exe	156
PID 3144 wrote to memory of 2644	3144	cmd.exe	158
PID 3144 wrote to memory of 2644	3144	cmd.exe	158
PID 3144 wrote to memory of 384	3144	cmd.exe	159
PID 3144 wrote to memory of 384	3144	cmd.exe	159
PID 384 wrote to memory of 1328	384	dwm.exe	160
PID 384 wrote to memory of 1328	384	dwm.exe	160
PID 1328 wrote to memory of 5064	1328	cmd.exe	162
PID 1328 wrote to memory of 5064	1328	cmd.exe	162
PID 1328 wrote to memory of 4120	1328	cmd.exe	163
PID 1328 wrote to memory of 4120	1328	cmd.exe	163
PID 4120 wrote to memory of 5012	4120	dwm.exe	164
PID 4120 wrote to memory of 5012	4120	dwm.exe	164
PID 5012 wrote to memory of 3336	5012	cmd.exe	166
PID 5012 wrote to memory of 3336	5012	cmd.exe	166
PID 5012 wrote to memory of 844	5012	cmd.exe	167
PID 5012 wrote to memory of 844	5012	cmd.exe	167
PID 844 wrote to memory of 1428	844	dwm.exe	168
PID 844 wrote to memory of 1428	844	dwm.exe	168

C:\Users\Admin\AppData\Local\Temp\a53e5fc9e6c345fce0576de406be54d92b094d87e0f277a6c8fc1e43870b4212.exe
"C:\Users\Admin\AppData\Local\Temp\a53e5fc9e6c345fce0576de406be54d92b094d87e0f277a6c8fc1e43870b4212.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\Links\WmiPrvSE.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3504
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vkc2JnkG5S.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2088
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3040
      - C:\Windows\Cursors\dwm.exe
        
        "C:\Windows\Cursors\dwm.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4404
        
        C:\Windows\Cursors\dwm.exe
        
        "C:\Windows\Cursors\dwm.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2644
        
        C:\Windows\Cursors\dwm.exe
        
        "C:\Windows\Cursors\dwm.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:5064
        
        C:\Windows\Cursors\dwm.exe
        
        "C:\Windows\Cursors\dwm.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\owZfSNRP11.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3336
        
        C:\Windows\Cursors\dwm.exe
        
        "C:\Windows\Cursors\dwm.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat"
        15⤵
        
        PID:1428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4388
        
        C:\Windows\Cursors\dwm.exe
        
        "C:\Windows\Cursors\dwm.exe"
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"
        17⤵
        
        PID:1996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:5044
        
        C:\Windows\Cursors\dwm.exe
        
        "C:\Windows\Cursors\dwm.exe"
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELd0wzhjGt.bat"
        19⤵
        
        PID:1440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3040
        
        C:\Windows\Cursors\dwm.exe
        
        "C:\Windows\Cursors\dwm.exe"
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat"
        21⤵
        
        PID:380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1800
        
        C:\Windows\Cursors\dwm.exe
        
        "C:\Windows\Cursors\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Cursors\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\odt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Favorites\Links\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Favorites\Links\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat

Filesize
191B

MD5
9fda9ff3348cc66f18b0e13d6093405c

SHA1
217d9231deaf4790483f2f0ff476184160aeb002

SHA256
11ba2d28aa78bc392d62aecda63bb4d6b51c971acfb3256ca20c81d4faa12f97

SHA512
21849fbb5a45c00da7be10d138ab601a2ffc22446c2803e0fd9a70a7a09bfeb07d323eb079c68eb62d7ba2353fd97e20a4c8f21dbf71683dbad76e84f3cded20

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELd0wzhjGt.bat

Filesize
191B

MD5
b1d513b55688635cc17c11559ade2f84

SHA1
4cf0529b4a615d0386fc9949e30cd873b0078d21

SHA256
8818e86d9659f18f545742e77547d8dfc2930d6b5201d3e1c7e24b7b603a8e7b

SHA512
29e7f5aaeae4cea3958c79bd76a10001d61e272fcd682a01731839784972d1332bb2c41e9a9e7fd25a9dc0b7adf5460819393ff71b26f786ddd6be310ffeed90

Download Submit
C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat

Filesize
191B

MD5
176e57b4e719c9c8d8565843222761bc

SHA1
7e0139ea8cc61689a8c2d32bde72e6a3690f5cd2

SHA256
24d7c91be5c5444bc9258428ea6ea8c3c790c43e8053d49e04829aae38c1deb1

SHA512
3f04f57882104677d0dcfb45c040ffa8d880f263893aa0d3c034f8f5c7d6cc2f9495c502bc8900d020771495c96e1e00ad580f204496b4b1cd98db882c01af80

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat

Filesize
191B

MD5
f03fdb7448cc88d720d62c7fb58714fe

SHA1
d21ae380d2fc72de7426eb9ae8c50cad23f269ed

SHA256
cff4d31ed16e3191d919cf54cefdbde5a51f5ed28dcacfedbcdb4f788abcd1a4

SHA512
d23d76c65050e3250eb25f0c3dd779ddc642046f4c0a372ece78dcedc4ac378645df762e26d733fc433c0d354b3b58ee9581480810be3cbfec03c757181fdfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat

Filesize
191B

MD5
73e99d156a500c202a8ed862f108a59d

SHA1
cf34253a2fc62d10641deda750ec72071cf0591e

SHA256
513726ff5e5887ba06362d0cb39fcec4edbd55d3dd8f96323b6c7d4a1e53cda3

SHA512
4ff189f704aa5e5aa5428723ccb217e576c1e7d0e7d96157a44ec9d7480af21fe36d6bcdcdb74a7827a43f33b2925566c1f33d6f6033175bda91466b3da9df96

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat

Filesize
191B

MD5
33ff014bdf12ed6ac09a50d570511d15

SHA1
0c0bf9771d725de21edef2d3db697416e060218e

SHA256
8058f130163a1e2db55ab28a30001e4f406f1f976e5d37dd36535476adec3f51

SHA512
c23fef4ececfdbae8a3ba5eb12616a3309d24bf840cfba7d2d922ee3c16079277965553fb0a2d0c536b088a084e1d17aa35bcf09fda38d2911f4bebf10d38907

Download Submit
C:\Users\Admin\AppData\Local\Temp\owZfSNRP11.bat

Filesize
191B

MD5
d52b56dca0ea9e4e7d13fd2396572735

SHA1
1e3a27462ab6d3e142d9bbb769d2f78b8cf605fb

SHA256
c293a98fe5127766ba10da19f538dcbd5700ec1cde510e595317ae8bb0650496

SHA512
16e104f70ae7fc09c130fec547046d787ccf8f23b1191b2980b764bd5b3aca78c0f022e25c3d6a71b7f3ee31a08a49b6a56e14f14d47dce42d5c3b4e1c1c102a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat

Filesize
191B

MD5
c10ddf42efbec2fafb5e1aac3a165bc3

SHA1
55339d766aab1f3b809ebf1b974e7f0b2c8bb002

SHA256
e833157194e0ae733c8a40ca5c3b895091d89fc583a9365162ab067c96e9cd07

SHA512
fd94113def43a75632649d6d2c087e3a60bf9efd96ebf11643caed378a479056cf6b7f268b4100bf387ced74b3ae08711534fa245e1aa860f7272dd322674af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkc2JnkG5S.bat

Filesize
191B

MD5
076125be7e2edad521fd281bbfd5a784

SHA1
2369d5f060c827262a360bd1cebc0329ecb829e3

SHA256
02c46fa730c55bd287cbb8d682a9ad3190ecd2f78c70673456175c21a6919553

SHA512
56779442ff2685f52e88ce1252f1194f0957e0415a58b27418e3a79b24b4ec97b60ee0e461ef10c5087ebaa6f9335376ffbef48317fc3e4cabb82bd995282865

Download Submit
C:\Windows\Cursors\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Cursors\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Cursors\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Cursors\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Cursors\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Cursors\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Cursors\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Cursors\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Cursors\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Cursors\dwm.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/384-212-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/384-216-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/844-226-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/844-230-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/1148-205-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/1148-209-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/1168-183-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/1168-156-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/1556-244-0x00007FFB86A60000-0x00007FFB87521000-memory.dmp

Filesize
10.8MB

Download
memory/1556-240-0x00007FFB86A60000-0x00007FFB87521000-memory.dmp

Filesize
10.8MB

Download
memory/1732-186-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/1732-160-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/2088-250-0x00007FFB86A60000-0x00007FFB87521000-memory.dmp

Filesize
10.8MB

Download
memory/2088-247-0x00007FFB86A60000-0x00007FFB87521000-memory.dmp

Filesize
10.8MB

Download
memory/2428-190-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/2428-166-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/2868-161-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/2868-193-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/3144-155-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/3144-153-0x000001F81FD10000-0x000001F81FD32000-memory.dmp

Filesize
136KB

Download
memory/3144-174-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/3256-184-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/3256-159-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/3312-201-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/3312-197-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/3504-163-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/3504-192-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-182-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/4084-157-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/4120-219-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/4120-223-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/4188-167-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/4188-179-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/4220-237-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/4220-233-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

Filesize
10.8MB

Download
memory/4516-162-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/4516-188-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/4548-139-0x0000000000630000-0x0000000000740000-memory.dmp

Filesize
1.1MB

Download
memory/4548-158-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/4548-140-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/4592-254-0x00007FFB86A60000-0x00007FFB87521000-memory.dmp

Filesize
10.8MB

Download
memory/4884-165-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/4884-170-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-169-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-178-0x00007FFB86930000-0x00007FFB873F1000-memory.dmp

Filesize
10.8MB

Download