dcrat | 9a9ac0169117b67557d8ba9932d908df0df543542a649e16db365c2c4d9829cb

Analysis

max time kernel
206s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
Size

1.3MB
MD5

adde6baef89ebb01b5e60f15610ba470
SHA1

edc49b43aa822b754ee617db11c3ffc1a3e79ec1
SHA256

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458
SHA512

89ebfaafca6347cced23fd73aee44483118d4806c339048df9ba9da5f775f84ce6b6876a8399617abfbf1ae23cfd0b78825f85f50efdcc2c9e3c88cb8e122a30
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	204	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	1380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	1380	schtasks.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral8/memory/3520-139-0x00000000007F0000-0x0000000000900000-memory.dmp	dcrat
C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe	dcrat
C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe	dcrat
C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe	dcrat
C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe	dcrat
C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe	dcrat

Executes dropped EXE 5 IoCs

Processes:

DllCommonsvc.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid process

3520 DllCommonsvc.exe
4868 spoolsv.exe
2436 spoolsv.exe
3436 spoolsv.exe
1828 spoolsv.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DllCommonsvc.exespoolsv.exespoolsv.exespoolsv.exee6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\SIHClient.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\fr-FR\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\55b276f4edf653	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\7b3bf1de107bcf	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
2364	schtasks.exe
1212	schtasks.exe
3496	schtasks.exe
3376	schtasks.exe
2420	schtasks.exe
2276	schtasks.exe
3124	schtasks.exe
2280	schtasks.exe
4796	schtasks.exe
5064	schtasks.exe
4984	schtasks.exe
3960	schtasks.exe
4844	schtasks.exe
3148	schtasks.exe
1740	schtasks.exe
4068	schtasks.exe
2848	schtasks.exe
3068	schtasks.exe
8	schtasks.exe
4452	schtasks.exe
3644	schtasks.exe
3984	schtasks.exe
204	schtasks.exe
2592	schtasks.exe
684	schtasks.exe
2940	schtasks.exe
644	schtasks.exe
4456	schtasks.exe
3588	schtasks.exe
4948	schtasks.exe
4820	schtasks.exe
1688	schtasks.exe
2964	schtasks.exe
4972	schtasks.exe
4388	schtasks.exe
4576	schtasks.exe
2092	schtasks.exe
4112	schtasks.exe
3500	schtasks.exe
3716	schtasks.exe
1632	schtasks.exe
852	schtasks.exe

Modifies registry class 5 IoCs

Processes:

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exeDllCommonsvc.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
3520	DllCommonsvc.exe
624	powershell.exe
624	powershell.exe
3548	powershell.exe
3548	powershell.exe
3532	powershell.exe
3532	powershell.exe
768	powershell.exe
768	powershell.exe
4512	powershell.exe
4512	powershell.exe
2520	powershell.exe
2520	powershell.exe
2832	powershell.exe
2832	powershell.exe
4564	powershell.exe
4564	powershell.exe
1812	powershell.exe
1812	powershell.exe
3032	powershell.exe
3032	powershell.exe
388	powershell.exe
388	powershell.exe
4348	powershell.exe
4348	powershell.exe
4172	powershell.exe
4172	powershell.exe
4140	powershell.exe
4140	powershell.exe
1204	powershell.exe
1204	powershell.exe
624	powershell.exe
3548	powershell.exe
3532	powershell.exe
768	powershell.exe
4512	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3520	DllCommonsvc.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	4868	spoolsv.exe
Token: SeDebugPrivilege	2436	spoolsv.exe
Token: SeDebugPrivilege	3436	spoolsv.exe
Token: SeDebugPrivilege	1828	spoolsv.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exeWScript.execmd.exeDllCommonsvc.execmd.exespoolsv.execmd.exespoolsv.execmd.exespoolsv.execmd.exe

description	pid	process	target process
PID 3612 wrote to memory of 3784	3612	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe	WScript.exe
PID 3612 wrote to memory of 3784	3612	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe	WScript.exe
PID 3612 wrote to memory of 3784	3612	e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe	WScript.exe
PID 3784 wrote to memory of 932	3784	WScript.exe	cmd.exe
PID 3784 wrote to memory of 932	3784	WScript.exe	cmd.exe
PID 3784 wrote to memory of 932	3784	WScript.exe	cmd.exe
PID 932 wrote to memory of 3520	932	cmd.exe	DllCommonsvc.exe
PID 932 wrote to memory of 3520	932	cmd.exe	DllCommonsvc.exe
PID 3520 wrote to memory of 2832	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 2832	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 624	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 624	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 3532	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 3532	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 4512	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 4512	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 768	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 768	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 3548	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 3548	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 2520	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 2520	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 388	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 388	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 3032	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 3032	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 4564	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 4564	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 1812	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 1812	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 4348	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 4348	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 4172	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 4172	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 4140	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 4140	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 1204	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 1204	3520	DllCommonsvc.exe	powershell.exe
PID 3520 wrote to memory of 4656	3520	DllCommonsvc.exe	cmd.exe
PID 3520 wrote to memory of 4656	3520	DllCommonsvc.exe	cmd.exe
PID 4656 wrote to memory of 2620	4656	cmd.exe	w32tm.exe
PID 4656 wrote to memory of 2620	4656	cmd.exe	w32tm.exe
PID 4656 wrote to memory of 4868	4656	cmd.exe	spoolsv.exe
PID 4656 wrote to memory of 4868	4656	cmd.exe	spoolsv.exe
PID 4868 wrote to memory of 4648	4868	spoolsv.exe	cmd.exe
PID 4868 wrote to memory of 4648	4868	spoolsv.exe	cmd.exe
PID 4648 wrote to memory of 3748	4648	cmd.exe	w32tm.exe
PID 4648 wrote to memory of 3748	4648	cmd.exe	w32tm.exe
PID 4648 wrote to memory of 2436	4648	cmd.exe	spoolsv.exe
PID 4648 wrote to memory of 2436	4648	cmd.exe	spoolsv.exe
PID 2436 wrote to memory of 4552	2436	spoolsv.exe	cmd.exe
PID 2436 wrote to memory of 4552	2436	spoolsv.exe	cmd.exe
PID 4552 wrote to memory of 2520	4552	cmd.exe	w32tm.exe
PID 4552 wrote to memory of 2520	4552	cmd.exe	w32tm.exe
PID 4552 wrote to memory of 3436	4552	cmd.exe	spoolsv.exe
PID 4552 wrote to memory of 3436	4552	cmd.exe	spoolsv.exe
PID 3436 wrote to memory of 3916	3436	spoolsv.exe	cmd.exe
PID 3436 wrote to memory of 3916	3436	spoolsv.exe	cmd.exe
PID 3916 wrote to memory of 4240	3916	cmd.exe	w32tm.exe
PID 3916 wrote to memory of 4240	3916	cmd.exe	w32tm.exe
PID 3916 wrote to memory of 1828	3916	cmd.exe	spoolsv.exe
PID 3916 wrote to memory of 1828	3916	cmd.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
"C:\Users\Admin\AppData\Local\Temp\e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\setup\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\MsEdgeCrashpad\reports\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\features\SIHClient.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\spoolsv.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2alBlA0VVa.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:2620

C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe
"C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:3748

C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe
"C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:2520

C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe
"C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe"
10⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat"
11⤵
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:4240

C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe
"C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\features\SIHClient.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClient" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\SIHClient.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\features\SIHClient.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Internet Explorer\fr-FR\spoolsv.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat
Filesize
217B

MD5
dc2cce548bb538a50677289f0ed81249

SHA1
8713b086f8feb0bfe021f0d023d8240097f7792c

SHA256
897f59d7b3014bd55e9a6d0c4e7a688643226a3654d49a32c9256b48d7576630

SHA512
c999d2445e278710d8853fba41f953daafb4bc5d122ae57936e998340033f9972c0442c7d7e4763f85be06d5dc70fd9b8f74d782cb9fda3951a66d4343933acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2alBlA0VVa.bat
Filesize
217B

MD5
abd7dcafe509cd8c2d78d08ba5215e08

SHA1
5a4bfca510d9838c14124d6da2176ea81fb964db

SHA256
c0371171089082ea063fc31097de56e434bd6f5a56bb1120d8665a9ff2a731cd

SHA512
1233f038ad0f38ac1c25e8d2518b98e25f080070b0352f6a96b38819979d4837f9e5c98154cbaea3e22997d98fd860dfdc4c1da2580b942f2f7668be95941fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat
Filesize
217B

MD5
5b1b0b0c74595b32b27bce2883949912

SHA1
e96ac060ef6c11f7950ab01c3f53d86787281240

SHA256
6d8459efdabde14241591221c86be2ea0c886f9978cdf64049ee9b72cda6f11c

SHA512
9e5e1d6a12f93e1bbe9b51201d48935c35c50a01c114f2ed28b16d8b7e8e5fc2bc509ed012c221dd008f240cb8d1d05ca8c7022a1c2e2d7c13ce0c8c31220203

Download Submit
C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat
Filesize
217B

MD5
2ca8c8dda7eaa1695717be7689950342

SHA1
a197ac8a4eec9cbc1fc83a481f3e2e87a265192f

SHA256
40f3f3a67c803a56e3b61ff4a93feb4f80834f080afd2ea9bed9a81697e1bd88

SHA512
106fb6ec2219609bc28995de5e2199898c73ac38fe5b7f0f23899c6048ceab45879a965205cb1d57a71f72b769db1f31535c108702ffd690f2748f2f695957d5

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/388-198-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/388-207-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/388-165-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/388-149-0x0000000000000000-mapping.dmp

Download
memory/624-143-0x0000000000000000-mapping.dmp

Download
memory/624-157-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/624-217-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/624-177-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/768-161-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/768-195-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/768-214-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/768-146-0x0000000000000000-mapping.dmp

Download
memory/932-135-0x0000000000000000-mapping.dmp

Download
memory/1204-156-0x0000000000000000-mapping.dmp

Download
memory/1204-205-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/1204-215-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/1204-175-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/1812-208-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/1812-168-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/1812-152-0x0000000000000000-mapping.dmp

Download
memory/1812-201-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/1828-247-0x00007FF8F36A0000-0x00007FF8F4161000-memory.dmp

Filesize
10.8MB

Download
memory/1828-245-0x0000000000000000-mapping.dmp

Download
memory/2436-237-0x00007FF8F3630000-0x00007FF8F40F1000-memory.dmp

Filesize
10.8MB

Download
memory/2436-233-0x00007FF8F3630000-0x00007FF8F40F1000-memory.dmp

Filesize
10.8MB

Download
memory/2436-230-0x0000000000000000-mapping.dmp

Download
memory/2520-148-0x0000000000000000-mapping.dmp

Download
memory/2520-164-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/2520-236-0x0000000000000000-mapping.dmp

Download
memory/2520-212-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/2520-197-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/2620-176-0x0000000000000000-mapping.dmp

Download
memory/2832-216-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/2832-167-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/2832-142-0x0000000000000000-mapping.dmp

Download
memory/2832-200-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/3032-166-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/3032-219-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/3032-150-0x0000000000000000-mapping.dmp

Download
memory/3032-199-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/3436-238-0x0000000000000000-mapping.dmp

Download
memory/3436-240-0x00007FF8F3630000-0x00007FF8F40F1000-memory.dmp

Filesize
10.8MB

Download
memory/3436-244-0x00007FF8F3630000-0x00007FF8F40F1000-memory.dmp

Filesize
10.8MB

Download
memory/3520-140-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/3520-136-0x0000000000000000-mapping.dmp

Download
memory/3520-141-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/3520-139-0x00000000007F0000-0x0000000000900000-memory.dmp

Filesize
1.1MB

Download
memory/3520-171-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/3532-144-0x0000000000000000-mapping.dmp

Download
memory/3532-178-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/3532-159-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/3532-211-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/3548-196-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/3548-147-0x0000000000000000-mapping.dmp

Download
memory/3548-163-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/3548-158-0x000001DDF31B0000-0x000001DDF31D2000-memory.dmp

Filesize
136KB

Download
memory/3548-220-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/3748-228-0x0000000000000000-mapping.dmp

Download
memory/3784-132-0x0000000000000000-mapping.dmp

Download
memory/3916-241-0x0000000000000000-mapping.dmp

Download
memory/4140-206-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/4140-202-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/4140-172-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/4140-155-0x0000000000000000-mapping.dmp

Download
memory/4172-174-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/4172-209-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/4172-154-0x0000000000000000-mapping.dmp

Download
memory/4172-204-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/4240-243-0x0000000000000000-mapping.dmp

Download
memory/4348-170-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/4348-153-0x0000000000000000-mapping.dmp

Download
memory/4348-218-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/4348-194-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/4512-145-0x0000000000000000-mapping.dmp

Download
memory/4512-160-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/4512-213-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/4512-179-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-234-0x0000000000000000-mapping.dmp

Download
memory/4564-203-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/4564-151-0x0000000000000000-mapping.dmp

Download
memory/4564-173-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/4564-210-0x00007FF8F3800000-0x00007FF8F42C1000-memory.dmp

Filesize
10.8MB

Download
memory/4648-226-0x0000000000000000-mapping.dmp

Download
memory/4656-162-0x0000000000000000-mapping.dmp

Download
memory/4868-221-0x0000000000000000-mapping.dmp

Download
memory/4868-229-0x00007FF8F3AF0000-0x00007FF8F45B1000-memory.dmp

Filesize
10.8MB

Download
memory/4868-225-0x00007FF8F3AF0000-0x00007FF8F45B1000-memory.dmp

Filesize
10.8MB

Download
memory/4868-224-0x00007FF8F3AF0000-0x00007FF8F45B1000-memory.dmp

Filesize
10.8MB

Download