dcrat | b82f23ee8617e7ad47d7513fe175e7211564eed5442002927a415d7a035da5cf

Resubmissions

26-12-2022 00:04

221226-acrmcafe2y 10

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:02

26-12-2022 00:01

Analysis

max time kernel
8s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2022 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
Size

1.3MB
MD5

adde6baef89ebb01b5e60f15610ba470
SHA1

edc49b43aa822b754ee617db11c3ffc1a3e79ec1
SHA256

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458
SHA512

89ebfaafca6347cced23fd73aee44483118d4806c339048df9ba9da5f775f84ce6b6876a8399617abfbf1ae23cfd0b78825f85f50efdcc2c9e3c88cb8e122a30
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	4124	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	4124	schtasks.exe

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral12/memory/1472-139-0x00000000008F0000-0x0000000000A00000-memory.dmp	dcrat
C:\Users\All Users\dllhost.exe	dcrat
C:\ProgramData\dllhost.exe	dcrat
C:\ProgramData\dllhost.exe	dcrat
C:\ProgramData\dllhost.exe	dcrat
C:\ProgramData\dllhost.exe	dcrat
C:\ProgramData\dllhost.exe	dcrat
C:\ProgramData\dllhost.exe	dcrat
C:\ProgramData\dllhost.exe	dcrat
C:\ProgramData\dllhost.exe	dcrat
C:\ProgramData\dllhost.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

DllCommonsvc.exe

pid process

1472 DllCommonsvc.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exee6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 8 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\WaaSMedicAgent.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\c82b8037eab33d	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4084	schtasks.exe
3616	schtasks.exe
4476	schtasks.exe
4388	schtasks.exe
4776	schtasks.exe
2768	schtasks.exe
2320	schtasks.exe
2820	schtasks.exe
4416	schtasks.exe
3928	schtasks.exe
2552	schtasks.exe
740	schtasks.exe
2664	schtasks.exe
5084	schtasks.exe
1196	schtasks.exe
3448	schtasks.exe
5060	schtasks.exe
4788	schtasks.exe
4136	schtasks.exe
1452	schtasks.exe
1284	schtasks.exe
3056	schtasks.exe
5104	schtasks.exe
1352	schtasks.exe
4420	schtasks.exe
4252	schtasks.exe
3536	schtasks.exe
4720	schtasks.exe
5000	schtasks.exe
5068	schtasks.exe
4924	schtasks.exe
1748	schtasks.exe
4460	schtasks.exe
216	schtasks.exe
3944	schtasks.exe
3680	schtasks.exe
1564	schtasks.exe
4700	schtasks.exe
4684	schtasks.exe
4336	schtasks.exe
3788	schtasks.exe
2896	schtasks.exe
808	schtasks.exe
2984	schtasks.exe
3780	schtasks.exe

Modifies registry class 1 IoCs

Processes:

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

DllCommonsvc.exe

pid	process
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe
1472	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DllCommonsvc.exe

description pid process

Token: SeDebugPrivilege 1472 DllCommonsvc.exe

description	pid	process
Token: SeDebugPrivilege	1472	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exeWScript.execmd.exe

description	pid	process	target process
PID 3724 wrote to memory of 3084	3724	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe	WScript.exe
PID 3724 wrote to memory of 3084	3724	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe	WScript.exe
PID 3724 wrote to memory of 3084	3724	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe	WScript.exe
PID 3084 wrote to memory of 1292	3084	WScript.exe	cmd.exe
PID 3084 wrote to memory of 1292	3084	WScript.exe	cmd.exe
PID 3084 wrote to memory of 1292	3084	WScript.exe	cmd.exe
PID 1292 wrote to memory of 1472	1292	cmd.exe	DllCommonsvc.exe
PID 1292 wrote to memory of 1472	1292	cmd.exe	DllCommonsvc.exe

C:\Users\Admin\AppData\Local\Temp\e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
"C:\Users\Admin\AppData\Local\Temp\e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\3D Objects\smss.exe'
5⤵
PID:1724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WaaSMedicAgent.exe'
5⤵
PID:904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\SppExtComObj.exe'
5⤵
PID:4212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
5⤵
PID:2384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
5⤵
PID:3320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WaaSMedicAgent.exe'
5⤵
PID:5000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\dllhost.exe'
5⤵
PID:5024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o7FgevsgJO.bat"
5⤵
PID:4492

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:5316

C:\Users\All Users\dllhost.exe
"C:\Users\All Users\dllhost.exe"
6⤵
PID:5780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"
7⤵
PID:5936

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:6000

C:\Users\All Users\dllhost.exe
"C:\Users\All Users\dllhost.exe"
8⤵
PID:6032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"
9⤵
PID:6136

C:\Users\All Users\dllhost.exe
"C:\Users\All Users\dllhost.exe"
10⤵
PID:5084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"
11⤵
PID:5472

C:\Users\All Users\dllhost.exe
"C:\Users\All Users\dllhost.exe"
12⤵
PID:5556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"
13⤵
PID:4260

C:\Users\All Users\dllhost.exe
"C:\Users\All Users\dllhost.exe"
14⤵
PID:1200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat"
15⤵
PID:4936

C:\Users\All Users\dllhost.exe
"C:\Users\All Users\dllhost.exe"
16⤵
PID:1548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"
17⤵
PID:5180

C:\Users\All Users\dllhost.exe
"C:\Users\All Users\dllhost.exe"
18⤵
PID:3168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
19⤵
PID:5196

C:\Users\All Users\dllhost.exe
"C:\Users\All Users\dllhost.exe"
20⤵
PID:1532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
21⤵
PID:5100

C:\Users\All Users\dllhost.exe
"C:\Users\All Users\dllhost.exe"
22⤵
PID:2896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"
23⤵
PID:4756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'
5⤵
PID:1164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\conhost.exe'
5⤵
PID:4756

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:3164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\wininit.exe'
5⤵
PID:1660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\WaaSMedicAgent.exe'
5⤵
PID:556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe'
5⤵
PID:2264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Idle.exe'
5⤵
PID:4892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
5⤵
PID:3372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
5⤵
PID:1200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\3D Objects\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\3D Objects\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\providercommon\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Application Data\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Application Data\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\providercommon\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\providercommon\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1480

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:5552

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:460

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4520

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3204

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:556

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dllhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\dllhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\dllhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\dllhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\dllhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\dllhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\dllhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\dllhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\dllhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat
Filesize
195B

MD5
27ec9a468579ea2b6b5e24de78e1b849

SHA1
05bd755ba2c1000c8684db01fc748b2f96791ce3

SHA256
4a293631c3f4cccdf98c8059fcbf2883ddf5bd3f5fd47fe03a245895352503d9

SHA512
fe65b86c59d53a08872c92165c26511532d825793bb50cbc61fa91c80d0786161a7f34dd329339b50810f3a07c69c2413b285e1ed6d4de2fd2ad5fbc45120394

Download Submit
C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat
Filesize
195B

MD5
27ec9a468579ea2b6b5e24de78e1b849

SHA1
05bd755ba2c1000c8684db01fc748b2f96791ce3

SHA256
4a293631c3f4cccdf98c8059fcbf2883ddf5bd3f5fd47fe03a245895352503d9

SHA512
fe65b86c59d53a08872c92165c26511532d825793bb50cbc61fa91c80d0786161a7f34dd329339b50810f3a07c69c2413b285e1ed6d4de2fd2ad5fbc45120394

Download Submit
C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat
Filesize
195B

MD5
500493fc9d50516f6e7a3be39b43de9c

SHA1
c91b5c13f81bd6f272f22756ea0a50eaa03b56d0

SHA256
2911896723c3598b9a8e1eb649e02b7d7ce7959b0763e72bb3ef5b15f10ca183

SHA512
faac62231c24480b9ea278bc00b1d090a92f098ce6aacf5693e88937e2778a613c817ad33b8f7dda1b037e4ab1f654ff366e42eabdaebd69976fb34dc474fd7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat
Filesize
195B

MD5
72bf5a0d1e0acf53354c2ae7258da192

SHA1
9792524a397d722db6e7489af3b6f810f4d002b7

SHA256
645ecc45bd7ea952e44a71ab878153b0055287f78bb09efd45d82a96a830be8b

SHA512
7e8f7f81ddc8a7b67446e9b3df0bbf3e55c80360c5f44a61edaa85fe026fe896db5707314b3fd65f8225b07c9d80943254e607437a5f244004c92fee07d9d3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat
Filesize
195B

MD5
b03e51bc230b86af24436543f2fde04f

SHA1
a7abb004c3e1f4ad8a448682fbd51b66328e6fcb

SHA256
9b5db195f4c717494413c7e2af920b97ded41fba10f7c98a1472811f33ff9ab5

SHA512
80dc07b80f51c8287bbe502cb79e42dfed8e84be2c103182ac771ad1e2db542204af646efe7133a5c002b0db046038b021d14123912ef2572ca1620bdf5d3e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat
Filesize
195B

MD5
5ffb0e4e6179437d6c5e6983ac7f8a70

SHA1
1b40959d29e47a393910ef40cd72809854b378aa

SHA256
86a32ca88a8e8061a8ba78997df8a2089af819552de900edb1e445ed4aab546b

SHA512
d54f9b9c0d6b9a143ff601bb8b135ada769f19bc7df15edd4d2b6978819700def54c4b33873dc5327d6c7d6470f4dbb1dc7c9dc2b906619d2d8b47004adbe6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat
Filesize
195B

MD5
2d55309405912e7599523da2c2e63982

SHA1
4fe4c736a6842052db5faed9d0cb803a0de79ae3

SHA256
5d7e6cd6c0e6a06ce2cbcdaeea527cae467fdc8879523a2b39cc6ba1c025f89d

SHA512
0b5af9c447b5ab54b961fd8e4cb8857e44943c2a95d70c7171670c8472657b93911aab73cfd0ffde1c41b42fe2724cfad37dc79fce84f87711931f17b852e9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\o7FgevsgJO.bat
Filesize
195B

MD5
9113b1ad5a1b16a43d58cc40f5885c29

SHA1
1aaa07e050ee36b3a12b2b72f679b5203ef7d325

SHA256
ac50b04846c30afa04f9014d1eaacea726ee518ad4424cb590bd4076402d4a89

SHA512
60070753af681cd61371837d666cc11bf22ffeb996d103a8e4fec244e5f53bac740dcbfe704d4974b819015986ff789c879c5821b49e17fd038b4a8c2c70f701

Download Submit
C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat
Filesize
195B

MD5
cc67b9c7f8a66db1d821105c76d48bdf

SHA1
709e0a3f689d3eb39e764a52ee6f5e8e5cbfa067

SHA256
f370c36deb974699ee146a409daa7727318fa382c40282eb3b7f7069e51f6241

SHA512
5d312c8d9dfb857f87400f1a7c7f41f3707e8b34024f335f7980849864b78aebb4fa1edfb50f4ebe899a6795c9878f15962b51c7019aa1ba83c28da8ab6de864

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat
Filesize
195B

MD5
85d64ff68637b7dafeee9a08e19a0628

SHA1
e79b93939640c048f774502e5242c816fd7a33ce

SHA256
5f4b34ee4601723275d4eec064c81e9029fedf6d059f227d3a0721b150c5bb6e

SHA512
38ec0ec557db82a8dd32800be2d0e43c3a875d06b40a51117dd6dc64af35944f7e89b8afcc964680c876cc051d7f8b5ae031c882b657f7f6ea714ec2831150b1

Download Submit
C:\Users\All Users\dllhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/460-238-0x0000000000000000-mapping.dmp

Download
memory/556-259-0x0000000000000000-mapping.dmp

Download
memory/556-147-0x0000000000000000-mapping.dmp

Download
memory/556-192-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/556-173-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/904-174-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/904-149-0x0000000000000000-mapping.dmp

Download
memory/904-205-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/1164-176-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/1164-154-0x0000000000000000-mapping.dmp

Download
memory/1164-201-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/1200-184-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/1200-150-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/1200-246-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1200-242-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1200-240-0x0000000000000000-mapping.dmp

Download
memory/1200-142-0x0000000000000000-mapping.dmp

Download
memory/1292-135-0x0000000000000000-mapping.dmp

Download
memory/1472-140-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/1472-168-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/1472-136-0x0000000000000000-mapping.dmp

Download
memory/1472-139-0x00000000008F0000-0x0000000000A00000-memory.dmp

Filesize
1.1MB

Download
memory/1480-224-0x0000000000000000-mapping.dmp

Download
memory/1532-267-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1532-263-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1532-261-0x0000000000000000-mapping.dmp

Download
memory/1548-247-0x0000000000000000-mapping.dmp

Download
memory/1548-249-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1548-253-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1660-148-0x0000000000000000-mapping.dmp

Download
memory/1660-190-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/1660-162-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/1724-172-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/1724-146-0x0000000000000000-mapping.dmp

Download
memory/1724-187-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/2264-145-0x0000000000000000-mapping.dmp

Download
memory/2264-193-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/2264-157-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/2384-155-0x0000000000000000-mapping.dmp

Download
memory/2384-203-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/2384-165-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/2896-268-0x0000000000000000-mapping.dmp

Download
memory/2896-270-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/2896-274-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/3084-132-0x0000000000000000-mapping.dmp

Download
memory/3120-266-0x0000000000000000-mapping.dmp

Download
memory/3164-273-0x0000000000000000-mapping.dmp

Download
memory/3168-260-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/3168-256-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/3168-254-0x0000000000000000-mapping.dmp

Download
memory/3204-252-0x0000000000000000-mapping.dmp

Download
memory/3320-177-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/3320-183-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/3320-158-0x0000000000000000-mapping.dmp

Download
memory/3372-161-0x0000021AF98A0000-0x0000021AF98C2000-memory.dmp

Filesize
136KB

Download
memory/3372-185-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/3372-170-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/3372-143-0x0000000000000000-mapping.dmp

Download
memory/3656-207-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/3656-153-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/3656-141-0x0000000000000000-mapping.dmp

Download
memory/4212-152-0x0000000000000000-mapping.dmp

Download
memory/4212-202-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/4212-163-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/4260-236-0x0000000000000000-mapping.dmp

Download
memory/4492-164-0x0000000000000000-mapping.dmp

Download
memory/4520-245-0x0000000000000000-mapping.dmp

Download
memory/4756-151-0x0000000000000000-mapping.dmp

Download
memory/4756-200-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/4756-175-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/4756-271-0x0000000000000000-mapping.dmp

Download
memory/4892-188-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/4892-159-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/4892-144-0x0000000000000000-mapping.dmp

Download
memory/4936-243-0x0000000000000000-mapping.dmp

Download
memory/5000-160-0x0000000000000000-mapping.dmp

Download
memory/5000-167-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/5000-209-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/5024-166-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/5024-204-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/5024-156-0x0000000000000000-mapping.dmp

Download
memory/5084-226-0x0000000000000000-mapping.dmp

Download
memory/5084-228-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/5084-232-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/5100-264-0x0000000000000000-mapping.dmp

Download
memory/5180-250-0x0000000000000000-mapping.dmp

Download
memory/5196-257-0x0000000000000000-mapping.dmp

Download
memory/5316-171-0x0000000000000000-mapping.dmp

Download
memory/5472-229-0x0000000000000000-mapping.dmp

Download
memory/5552-231-0x0000000000000000-mapping.dmp

Download
memory/5556-239-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/5556-235-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/5556-233-0x0000000000000000-mapping.dmp

Download
memory/5780-213-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/5780-217-0x00007FF82DAB0000-0x00007FF82E571000-memory.dmp

Filesize
10.8MB

Download
memory/5780-210-0x0000000000000000-mapping.dmp

Download
memory/5936-214-0x0000000000000000-mapping.dmp

Download
memory/6000-216-0x0000000000000000-mapping.dmp

Download
memory/6032-218-0x0000000000000000-mapping.dmp

Download
memory/6032-225-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/6032-221-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/6136-222-0x0000000000000000-mapping.dmp

Download