dcrat | f133d7bfbfaf67fb5d1ce5516d4cb087d404d69cdee6ac8e9cf93b51beb7a4d8

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f133d7bfbfaf67fb5d1ce5516d4cb087d404d69cdee6ac8e9cf93b51beb7a4d8.exe
Size

1.3MB
MD5

fe5adaae82fca855954fc05d090ac6c0
SHA1

e9721f56aa3af102a7aaad007b46b23bdea47960
SHA256

f133d7bfbfaf67fb5d1ce5516d4cb087d404d69cdee6ac8e9cf93b51beb7a4d8
SHA512

c864e42f834f34edf7b861a623128d4a34c18699f4c61153694160a71c63f1fb0489c2f75a89f8ac694d400c4e2c5347aa2bc32ecb38e4f6c26b672acd756ae8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	4440	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	4440	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	4440	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	4440	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	4440	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	4440	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	4440	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	4440	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	4440	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	4440	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	4440	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	4440	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	4440	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	4440	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	4440	schtasks.exe

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4824-139-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe	dcrat
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe	dcrat
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe	dcrat
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe	dcrat
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe	dcrat
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe	dcrat
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe	dcrat
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe	dcrat
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe	dcrat
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe	dcrat
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe	dcrat

Executes dropped EXE 11 IoCs

Processes:

DllCommonsvc.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exe

pid	process
4824	DllCommonsvc.exe
3284	SppExtComObj.exe
5064	SppExtComObj.exe
2868	SppExtComObj.exe
2660	SppExtComObj.exe
4556	SppExtComObj.exe
4944	SppExtComObj.exe
2340	SppExtComObj.exe
4284	SppExtComObj.exe
5024	SppExtComObj.exe
3664	SppExtComObj.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exef133d7bfbfaf67fb5d1ce5516d4cb087d404d69cdee6ac8e9cf93b51beb7a4d8.exeWScript.exeDllCommonsvc.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	f133d7bfbfaf67fb5d1ce5516d4cb087d404d69cdee6ac8e9cf93b51beb7a4d8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\55b276f4edf653	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
616	schtasks.exe
1572	schtasks.exe
3732	schtasks.exe
392	schtasks.exe
1492	schtasks.exe
3928	schtasks.exe
1652	schtasks.exe
2392	schtasks.exe
2712	schtasks.exe
4624	schtasks.exe
2652	schtasks.exe
544	schtasks.exe
3220	schtasks.exe
2724	schtasks.exe
4828	schtasks.exe

Modifies registry class 12 IoCs

Processes:

SppExtComObj.exeSppExtComObj.exeSppExtComObj.exef133d7bfbfaf67fb5d1ce5516d4cb087d404d69cdee6ac8e9cf93b51beb7a4d8.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeDllCommonsvc.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	f133d7bfbfaf67fb5d1ce5516d4cb087d404d69cdee6ac8e9cf93b51beb7a4d8.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	SppExtComObj.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exe

pid	process
4824	DllCommonsvc.exe
4824	DllCommonsvc.exe
4824	DllCommonsvc.exe
4824	DllCommonsvc.exe
4824	DllCommonsvc.exe
2068	powershell.exe
1048	powershell.exe
1164	powershell.exe
1164	powershell.exe
1908	powershell.exe
1908	powershell.exe
2756	powershell.exe
2756	powershell.exe
2068	powershell.exe
2068	powershell.exe
1048	powershell.exe
1048	powershell.exe
2248	powershell.exe
2248	powershell.exe
2756	powershell.exe
1908	powershell.exe
1164	powershell.exe
2248	powershell.exe
3284	SppExtComObj.exe
5064	SppExtComObj.exe
2868	SppExtComObj.exe
2660	SppExtComObj.exe
4556	SppExtComObj.exe
4944	SppExtComObj.exe
2340	SppExtComObj.exe
4284	SppExtComObj.exe
5024	SppExtComObj.exe
3664	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4824	DllCommonsvc.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	3284	SppExtComObj.exe
Token: SeDebugPrivilege	5064	SppExtComObj.exe
Token: SeDebugPrivilege	2868	SppExtComObj.exe
Token: SeDebugPrivilege	2660	SppExtComObj.exe
Token: SeDebugPrivilege	4556	SppExtComObj.exe
Token: SeDebugPrivilege	4944	SppExtComObj.exe
Token: SeDebugPrivilege	2340	SppExtComObj.exe
Token: SeDebugPrivilege	4284	SppExtComObj.exe
Token: SeDebugPrivilege	5024	SppExtComObj.exe
Token: SeDebugPrivilege	3664	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f133d7bfbfaf67fb5d1ce5516d4cb087d404d69cdee6ac8e9cf93b51beb7a4d8.exeWScript.execmd.exeDllCommonsvc.execmd.exeSppExtComObj.execmd.exeSppExtComObj.execmd.exeSppExtComObj.execmd.exeSppExtComObj.execmd.exeSppExtComObj.execmd.exeSppExtComObj.execmd.exeSppExtComObj.exe

description	pid	process	target process
PID 4736 wrote to memory of 636	4736	f133d7bfbfaf67fb5d1ce5516d4cb087d404d69cdee6ac8e9cf93b51beb7a4d8.exe	WScript.exe
PID 4736 wrote to memory of 636	4736	f133d7bfbfaf67fb5d1ce5516d4cb087d404d69cdee6ac8e9cf93b51beb7a4d8.exe	WScript.exe
PID 4736 wrote to memory of 636	4736	f133d7bfbfaf67fb5d1ce5516d4cb087d404d69cdee6ac8e9cf93b51beb7a4d8.exe	WScript.exe
PID 636 wrote to memory of 856	636	WScript.exe	cmd.exe
PID 636 wrote to memory of 856	636	WScript.exe	cmd.exe
PID 636 wrote to memory of 856	636	WScript.exe	cmd.exe
PID 856 wrote to memory of 4824	856	cmd.exe	DllCommonsvc.exe
PID 856 wrote to memory of 4824	856	cmd.exe	DllCommonsvc.exe
PID 4824 wrote to memory of 2068	4824	DllCommonsvc.exe	powershell.exe
PID 4824 wrote to memory of 2068	4824	DllCommonsvc.exe	powershell.exe
PID 4824 wrote to memory of 1048	4824	DllCommonsvc.exe	powershell.exe
PID 4824 wrote to memory of 1048	4824	DllCommonsvc.exe	powershell.exe
PID 4824 wrote to memory of 1164	4824	DllCommonsvc.exe	powershell.exe
PID 4824 wrote to memory of 1164	4824	DllCommonsvc.exe	powershell.exe
PID 4824 wrote to memory of 1908	4824	DllCommonsvc.exe	powershell.exe
PID 4824 wrote to memory of 1908	4824	DllCommonsvc.exe	powershell.exe
PID 4824 wrote to memory of 2248	4824	DllCommonsvc.exe	powershell.exe
PID 4824 wrote to memory of 2248	4824	DllCommonsvc.exe	powershell.exe
PID 4824 wrote to memory of 2756	4824	DllCommonsvc.exe	powershell.exe
PID 4824 wrote to memory of 2756	4824	DllCommonsvc.exe	powershell.exe
PID 4824 wrote to memory of 1288	4824	DllCommonsvc.exe	cmd.exe
PID 4824 wrote to memory of 1288	4824	DllCommonsvc.exe	cmd.exe
PID 1288 wrote to memory of 4048	1288	cmd.exe	w32tm.exe
PID 1288 wrote to memory of 4048	1288	cmd.exe	w32tm.exe
PID 1288 wrote to memory of 3284	1288	cmd.exe	SppExtComObj.exe
PID 1288 wrote to memory of 3284	1288	cmd.exe	SppExtComObj.exe
PID 3284 wrote to memory of 4716	3284	SppExtComObj.exe	cmd.exe
PID 3284 wrote to memory of 4716	3284	SppExtComObj.exe	cmd.exe
PID 4716 wrote to memory of 1304	4716	cmd.exe	w32tm.exe
PID 4716 wrote to memory of 1304	4716	cmd.exe	w32tm.exe
PID 4716 wrote to memory of 5064	4716	cmd.exe	SppExtComObj.exe
PID 4716 wrote to memory of 5064	4716	cmd.exe	SppExtComObj.exe
PID 5064 wrote to memory of 2396	5064	SppExtComObj.exe	cmd.exe
PID 5064 wrote to memory of 2396	5064	SppExtComObj.exe	cmd.exe
PID 2396 wrote to memory of 1768	2396	cmd.exe	w32tm.exe
PID 2396 wrote to memory of 1768	2396	cmd.exe	w32tm.exe
PID 2396 wrote to memory of 2868	2396	cmd.exe	SppExtComObj.exe
PID 2396 wrote to memory of 2868	2396	cmd.exe	SppExtComObj.exe
PID 2868 wrote to memory of 1184	2868	SppExtComObj.exe	cmd.exe
PID 2868 wrote to memory of 1184	2868	SppExtComObj.exe	cmd.exe
PID 1184 wrote to memory of 4436	1184	cmd.exe	w32tm.exe
PID 1184 wrote to memory of 4436	1184	cmd.exe	w32tm.exe
PID 1184 wrote to memory of 2660	1184	cmd.exe	SppExtComObj.exe
PID 1184 wrote to memory of 2660	1184	cmd.exe	SppExtComObj.exe
PID 2660 wrote to memory of 3900	2660	SppExtComObj.exe	cmd.exe
PID 2660 wrote to memory of 3900	2660	SppExtComObj.exe	cmd.exe
PID 3900 wrote to memory of 1764	3900	cmd.exe	w32tm.exe
PID 3900 wrote to memory of 1764	3900	cmd.exe	w32tm.exe
PID 3900 wrote to memory of 4556	3900	cmd.exe	SppExtComObj.exe
PID 3900 wrote to memory of 4556	3900	cmd.exe	SppExtComObj.exe
PID 4556 wrote to memory of 1052	4556	SppExtComObj.exe	cmd.exe
PID 4556 wrote to memory of 1052	4556	SppExtComObj.exe	cmd.exe
PID 1052 wrote to memory of 1848	1052	cmd.exe	w32tm.exe
PID 1052 wrote to memory of 1848	1052	cmd.exe	w32tm.exe
PID 1052 wrote to memory of 4944	1052	cmd.exe	SppExtComObj.exe
PID 1052 wrote to memory of 4944	1052	cmd.exe	SppExtComObj.exe
PID 4944 wrote to memory of 2532	4944	SppExtComObj.exe	cmd.exe
PID 4944 wrote to memory of 2532	4944	SppExtComObj.exe	cmd.exe
PID 2532 wrote to memory of 4036	2532	cmd.exe	w32tm.exe
PID 2532 wrote to memory of 4036	2532	cmd.exe	w32tm.exe
PID 2532 wrote to memory of 2340	2532	cmd.exe	SppExtComObj.exe
PID 2532 wrote to memory of 2340	2532	cmd.exe	SppExtComObj.exe
PID 2340 wrote to memory of 4396	2340	SppExtComObj.exe	cmd.exe
PID 2340 wrote to memory of 4396	2340	SppExtComObj.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f133d7bfbfaf67fb5d1ce5516d4cb087d404d69cdee6ac8e9cf93b51beb7a4d8.exe
"C:\Users\Admin\AppData\Local\Temp\f133d7bfbfaf67fb5d1ce5516d4cb087d404d69cdee6ac8e9cf93b51beb7a4d8.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\spoolsv.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\OfficeClickToRun.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\winlogon.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R89d4K3ESh.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:1304

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:1768

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe"
10⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat"
11⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe"
12⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat"
13⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:1764

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe"
14⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat"
15⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:1848

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe"
16⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat"
17⤵
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe"
18⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat"
19⤵
PID:4396

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe"
20⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat"
21⤵
PID:4780

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:3284

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe"
22⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat"
23⤵
PID:636

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
24⤵
PID:2600

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe"
24⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat"
25⤵
PID:4720

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
26⤵
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\My Documents\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\My Documents\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\SppExtComObj.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat

Filesize
258B

MD5
39544dff89a83bc8dfdd863a576000ac

SHA1
ce2aee7ece8df0241ea1a9f0c946128e418de960

SHA256
8a9922468865af28bf5466926b8de97e4856205f4a1b682af3d0e3d50719faa0

SHA512
5a28f78688e059b9eaa8c8482aedd3efc915cd915a7986f4735cbbe441a7648ad0276572e5f96d8f8bbee9433d9e04cddb211d0e36a198fbc636000905d0eded

Download Submit
C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat

Filesize
258B

MD5
39544dff89a83bc8dfdd863a576000ac

SHA1
ce2aee7ece8df0241ea1a9f0c946128e418de960

SHA256
8a9922468865af28bf5466926b8de97e4856205f4a1b682af3d0e3d50719faa0

SHA512
5a28f78688e059b9eaa8c8482aedd3efc915cd915a7986f4735cbbe441a7648ad0276572e5f96d8f8bbee9433d9e04cddb211d0e36a198fbc636000905d0eded

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat

Filesize
258B

MD5
9cb936010f6705b0d89f50a290bbebd9

SHA1
c81b00fc2028740e79f98fd6736a6eca20ffb0f6

SHA256
160727b1de0077fb08e4944ede579c5f0423027cfa82f75c945abde987e5b1d8

SHA512
822ffc33b8c02e418b2c4e85cdd11125c4ff16ccc68b518084238f1398cf409c1e6a6f06904b758c9ee8becfef39332e0ccd50f1db70aa067b0addce78c14517

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat

Filesize
258B

MD5
331080abde208260b8b1861025e7546d

SHA1
2b9672e612ec325ca1f1dd01d0e1afc132827970

SHA256
78632f8e0bac93402f67d1907677a389d912770ccf193847e20d94e6d6540c9a

SHA512
9bd217fc0e3c0a8abd55674d6bb8a0656211e0f66bfb0cad5a6c2f2495023f6e4a94395090b008193980d6be44cbdf09570f30a1c1bdf272073ad504bcf69c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat

Filesize
258B

MD5
fd7212f802082a892c595e71d588a61a

SHA1
f8a966616a02290ca0d0b0ea40ed00316ed630c3

SHA256
7912460d757bfb37a14b6e6c88d2d4b68d20077dbedfdb0354cc029936e6e7d2

SHA512
e55faeba7d6aa2be68a0894edbb891bfbbf16c53c97af406b8a2e23eb3c6bee114e0357b570bd5b18131f18fb10065e974447c02ef7be31f2606977fd0cc8730

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat

Filesize
258B

MD5
3fdb0b5d884339494ba25f70444d4d92

SHA1
ceab097af90a3c425ea83833c25919177561eea7

SHA256
c180e295a4c9d276f6431f3adf93d97f40ba3497aa53330996d44eee5fa6237c

SHA512
df8249d2ce17fe274129c280872f96265d0c50bc5b0b26d5e863f9470c032488098d9e97464ab88353135399c15d1dcd69e5af03af277b5247325b8f2fda3661

Download Submit
C:\Users\Admin\AppData\Local\Temp\R89d4K3ESh.bat

Filesize
258B

MD5
b529a7fcd4c9ab7053c254e532ff1e13

SHA1
d5743969e4a7a6dc2c61a01908913d4aafd9fd0a

SHA256
5c8095b21f785ab7a22232c19d04b240d7881a1c9300805201589b22b694051f

SHA512
913582458bb1beb7a5d60adcac8cc15306841125458a6dfa52548c30324926ef2a5415a6e04ca3f47c8287651651484437579556869422fe0a3c40d6c2c68eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat

Filesize
258B

MD5
4f22b9e62c447e6e28fd9207b88ec027

SHA1
52ad82e09965a18b6327addb1d98a6ce0fd4b2bf

SHA256
8a9ece7c6c129fdcacf9bbf3f113bf62ea9a42a0ed13dc755cc5f8f6108626e2

SHA512
0180dcf3138f2ce6de90d2619adf0f832fac20b225fbf9e49e9b348dfb5094d208c700ea76ddb5b3e1a8497a26cab06095b5574c4d2306bcac473024205c1975

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat

Filesize
258B

MD5
a0d45da9d0a7b572c77ee0613380f79b

SHA1
c0c7162e661d83fba3182e5cda0a0b733be13424

SHA256
5e4f221ec0c72cfe81e168fd4122b63611c587937430a6e2168fb7e01a50b13a

SHA512
b172626a65e5c9b32b8da1fc33b323b20552c6d314d0fdac517179faaf167325d23ad357458a30a27197648f6b6515afc994d064cc1dda163fbeca70372b18e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat

Filesize
258B

MD5
d59f8cd34294ab7bfff6d1f07d95b46c

SHA1
00e1137132e595947434c623fcaf918d91195c75

SHA256
7f218500fd4144be0cc4bf23a98b7f25a41b4f247bb641ff688c49162947969e

SHA512
f0dc10847c2808213b5495831ff8b46ac4b65fe041da19b4c40387eed8e516ded0750a5c364c4af10be41ae1a779d6c01ced7090ad808364ba32150d26bf2cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat

Filesize
258B

MD5
d59f8cd34294ab7bfff6d1f07d95b46c

SHA1
00e1137132e595947434c623fcaf918d91195c75

SHA256
7f218500fd4144be0cc4bf23a98b7f25a41b4f247bb641ff688c49162947969e

SHA512
f0dc10847c2808213b5495831ff8b46ac4b65fe041da19b4c40387eed8e516ded0750a5c364c4af10be41ae1a779d6c01ced7090ad808364ba32150d26bf2cd9

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/636-132-0x0000000000000000-mapping.dmp

Download
memory/636-231-0x0000000000000000-mapping.dmp

Download
memory/856-135-0x0000000000000000-mapping.dmp

Download
memory/1048-154-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/1048-160-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/1048-142-0x0000000000000000-mapping.dmp

Download
memory/1052-203-0x0000000000000000-mapping.dmp

Download
memory/1164-143-0x0000000000000000-mapping.dmp

Download
memory/1164-164-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/1164-153-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/1184-189-0x0000000000000000-mapping.dmp

Download
memory/1288-147-0x0000000000000000-mapping.dmp

Download
memory/1304-176-0x0000000000000000-mapping.dmp

Download
memory/1496-219-0x0000000000000000-mapping.dmp

Download
memory/1764-199-0x0000000000000000-mapping.dmp

Download
memory/1768-184-0x0000000000000000-mapping.dmp

Download
memory/1848-205-0x0000000000000000-mapping.dmp

Download
memory/1908-168-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/1908-144-0x0000000000000000-mapping.dmp

Download
memory/1908-155-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2068-148-0x00000255A6C50000-0x00000255A6C72000-memory.dmp

Filesize
136KB

Download
memory/2068-152-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2068-161-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2068-141-0x0000000000000000-mapping.dmp

Download
memory/2248-145-0x0000000000000000-mapping.dmp

Download
memory/2248-169-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2248-156-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2340-220-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2340-214-0x0000000000000000-mapping.dmp

Download
memory/2340-216-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2396-182-0x0000000000000000-mapping.dmp

Download
memory/2532-210-0x0000000000000000-mapping.dmp

Download
memory/2600-233-0x0000000000000000-mapping.dmp

Download
memory/2660-193-0x0000000000000000-mapping.dmp

Download
memory/2660-195-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2660-197-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2756-146-0x0000000000000000-mapping.dmp

Download
memory/2756-157-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2756-165-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2868-186-0x0000000000000000-mapping.dmp

Download
memory/2868-192-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2868-188-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/3284-226-0x0000000000000000-mapping.dmp

Download
memory/3284-177-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/3284-173-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/3284-170-0x0000000000000000-mapping.dmp

Download
memory/3664-241-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/3664-237-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/3664-235-0x0000000000000000-mapping.dmp

Download
memory/3900-196-0x0000000000000000-mapping.dmp

Download
memory/4036-212-0x0000000000000000-mapping.dmp

Download
memory/4048-151-0x0000000000000000-mapping.dmp

Download
memory/4224-240-0x0000000000000000-mapping.dmp

Download
memory/4284-227-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/4284-223-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/4284-221-0x0000000000000000-mapping.dmp

Download
memory/4396-217-0x0000000000000000-mapping.dmp

Download
memory/4436-191-0x0000000000000000-mapping.dmp

Download
memory/4556-206-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-200-0x0000000000000000-mapping.dmp

Download
memory/4556-202-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/4716-174-0x0000000000000000-mapping.dmp

Download
memory/4720-238-0x0000000000000000-mapping.dmp

Download
memory/4780-224-0x0000000000000000-mapping.dmp

Download
memory/4824-140-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/4824-136-0x0000000000000000-mapping.dmp

Download
memory/4824-139-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/4824-149-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-209-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-213-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-207-0x0000000000000000-mapping.dmp

Download
memory/5024-234-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/5024-230-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/5024-228-0x0000000000000000-mapping.dmp

Download
memory/5064-185-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/5064-181-0x00007FF980520000-0x00007FF980FE1000-memory.dmp

Filesize
10.8MB

Download
memory/5064-178-0x0000000000000000-mapping.dmp

Download