dcrat | 8f17592d2a9ecfa26e7ece4132c9f073f5e2c91fc909f4eb58524b0f186275d7

Analysis

max time kernel
25s
max time network
135s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2023 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f17592d2a9ecfa26e7ece4132c9f073f5e2c91fc909f4eb58524b0f186275d7.exe
Size

1.3MB
MD5

1f29e3e88ff8b020a028de82e87a06fe
SHA1

a57cb68221ae3a53cb9da6d8e34bedd0ca0f5ee7
SHA256

8f17592d2a9ecfa26e7ece4132c9f073f5e2c91fc909f4eb58524b0f186275d7
SHA512

133259fadaeb3f44e83e53136e89f597fd4e891098e23ff5a8d9974dfb533b1a143f07ff2691a12d462b4c982634e6ab318a76c3a1180c8d7cc72042f0ac1212
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	492	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	196	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	5040	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	5040	schtasks.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4976-282-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
C:\Program Files (x86)\Windows Mail\en-US\sihost.exe	dcrat
C:\Program Files (x86)\Windows Mail\en-US\sihost.exe	dcrat
C:\Program Files (x86)\Windows Mail\en-US\sihost.exe	dcrat
C:\Program Files (x86)\Windows Mail\en-US\sihost.exe	dcrat

Executes dropped EXE 2 IoCs

Processes:

DllCommonsvc.exesihost.exe

pid process

4976 DllCommonsvc.exe
5024 sihost.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 9 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Portable Devices\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Services\SearchUI.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Services\dab4d89cac03ec	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\SchCache\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\servicing\Packages\smss.exe	DllCommonsvc.exe
File created	C:\Windows\CbsTemp\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\CbsTemp\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\SchCache\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4900	schtasks.exe
768	schtasks.exe
2576	schtasks.exe
2340	schtasks.exe
640	schtasks.exe
2428	schtasks.exe
3316	schtasks.exe
212	schtasks.exe
372	schtasks.exe
916	schtasks.exe
2196	schtasks.exe
1332	schtasks.exe
2364	schtasks.exe
196	schtasks.exe
3372	schtasks.exe
3296	schtasks.exe
636	schtasks.exe
5076	schtasks.exe
4908	schtasks.exe
820	schtasks.exe
1900	schtasks.exe
4164	schtasks.exe
1308	schtasks.exe
3332	schtasks.exe
2476	schtasks.exe
2504	schtasks.exe
492	schtasks.exe
4936	schtasks.exe
744	schtasks.exe
1500	schtasks.exe
2704	schtasks.exe
996	schtasks.exe
2568	schtasks.exe
1480	schtasks.exe
3364	schtasks.exe
2728	schtasks.exe
416	schtasks.exe
1844	schtasks.exe
808	schtasks.exe
2084	schtasks.exe
2500	schtasks.exe
4948	schtasks.exe
2496	schtasks.exe
3336	schtasks.exe
2444	schtasks.exe

Modifies registry class 1 IoCs

Processes:

8f17592d2a9ecfa26e7ece4132c9f073f5e2c91fc909f4eb58524b0f186275d7.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	8f17592d2a9ecfa26e7ece4132c9f073f5e2c91fc909f4eb58524b0f186275d7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesihost.exepowershell.exepowershell.exe

pid	process
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
4976	DllCommonsvc.exe
64	powershell.exe
64	powershell.exe
3916	powershell.exe
3916	powershell.exe
3684	powershell.exe
3684	powershell.exe
4376	powershell.exe
4376	powershell.exe
4656	powershell.exe
4656	powershell.exe
4872	powershell.exe
4872	powershell.exe
2492	powershell.exe
2492	powershell.exe
4400	powershell.exe
4400	powershell.exe
2096	powershell.exe
2096	powershell.exe
948	powershell.exe
948	powershell.exe
4228	powershell.exe
4228	powershell.exe
4376	powershell.exe
4800	powershell.exe
4800	powershell.exe
2096	powershell.exe
1408	powershell.exe
1408	powershell.exe
1216	powershell.exe
1216	powershell.exe
5024	sihost.exe
5024	sihost.exe
948	powershell.exe
3988	powershell.exe
3988	powershell.exe
4304	powershell.exe
4304	powershell.exe
3916	powershell.exe
3684	powershell.exe
64	powershell.exe
4872	powershell.exe
4656	powershell.exe
4376	powershell.exe
3684	powershell.exe
2492	powershell.exe
4400	powershell.exe
4228	powershell.exe
1408	powershell.exe
1216	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesihost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4976	DllCommonsvc.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	5024	sihost.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

8f17592d2a9ecfa26e7ece4132c9f073f5e2c91fc909f4eb58524b0f186275d7.exeWScript.execmd.exeDllCommonsvc.exe

description	pid	process	target process
PID 2460 wrote to memory of 2580	2460	8f17592d2a9ecfa26e7ece4132c9f073f5e2c91fc909f4eb58524b0f186275d7.exe	WScript.exe
PID 2460 wrote to memory of 2580	2460	8f17592d2a9ecfa26e7ece4132c9f073f5e2c91fc909f4eb58524b0f186275d7.exe	WScript.exe
PID 2460 wrote to memory of 2580	2460	8f17592d2a9ecfa26e7ece4132c9f073f5e2c91fc909f4eb58524b0f186275d7.exe	WScript.exe
PID 2580 wrote to memory of 3160	2580	WScript.exe	cmd.exe
PID 2580 wrote to memory of 3160	2580	WScript.exe	cmd.exe
PID 2580 wrote to memory of 3160	2580	WScript.exe	cmd.exe
PID 3160 wrote to memory of 4976	3160	cmd.exe	DllCommonsvc.exe
PID 3160 wrote to memory of 4976	3160	cmd.exe	DllCommonsvc.exe
PID 4976 wrote to memory of 64	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 64	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 4376	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 4376	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 3684	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 3684	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 3916	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 3916	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 4872	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 4872	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 4656	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 4656	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 4400	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 4400	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 2492	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 2492	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 2096	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 2096	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 4228	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 4228	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 4800	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 4800	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 1408	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 1408	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 1216	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 1216	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 948	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 948	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 3988	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 3988	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 4304	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 4304	4976	DllCommonsvc.exe	powershell.exe
PID 4976 wrote to memory of 5024	4976	DllCommonsvc.exe	sihost.exe
PID 4976 wrote to memory of 5024	4976	DllCommonsvc.exe	sihost.exe

C:\Users\Admin\AppData\Local\Temp\8f17592d2a9ecfa26e7ece4132c9f073f5e2c91fc909f4eb58524b0f186275d7.exe
"C:\Users\Admin\AppData\Local\Temp\8f17592d2a9ecfa26e7ece4132c9f073f5e2c91fc909f4eb58524b0f186275d7.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3160

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\sihost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\SearchUI.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\sihost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Program Files (x86)\Windows Mail\en-US\sihost.exe
"C:\Program Files (x86)\Windows Mail\en-US\sihost.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"
6⤵
PID:4192

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:5044

C:\Program Files (x86)\Windows Mail\en-US\sihost.exe
"C:\Program Files (x86)\Windows Mail\en-US\sihost.exe"
7⤵
PID:5592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat"
8⤵
PID:5724

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:5780

C:\Program Files (x86)\Windows Mail\en-US\sihost.exe
"C:\Program Files (x86)\Windows Mail\en-US\sihost.exe"
9⤵
PID:5812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"
10⤵
PID:5920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SchCache\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Default\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\odt\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Services\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\CbsTemp\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\CbsTemp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\CbsTemp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\providercommon\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\en-US\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Mail\en-US\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Mail\en-US\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Mail\en-US\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Mail\en-US\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aa741e0b45032ac80a2d8dd852558702

SHA1
50801ad2d01098690e29e871da05c90b92b8bbd4

SHA256
111b92306b6f678f5721b0eeb6bb9a9cab491de83dd098459bd604a7fe8c6281

SHA512
9a53d4468913f117d00bca5ba26fc7e08e58c03d779661898300e917ecf3a79d0597f3bdc9b74e92b34416bf28a332f56cc52179458fa9c4209bd11576134b8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1faaa0a9349a22505abe8af578164125

SHA1
0c5bd9f04bc278aa79a96c8f0a18fe3bb0b5662e

SHA256
55029e1f0e6a6cef7ab377a15331d51495fa571122851bcea234b21828d451e8

SHA512
1d0bc682452db26850e311a19117d24ccef99cf81c1220cfe1eff573e4845bd3f323d27ce2102bd532bd20eeddde2ff6e6ed5231c8fe95dc88124c0394fbce76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1faaa0a9349a22505abe8af578164125

SHA1
0c5bd9f04bc278aa79a96c8f0a18fe3bb0b5662e

SHA256
55029e1f0e6a6cef7ab377a15331d51495fa571122851bcea234b21828d451e8

SHA512
1d0bc682452db26850e311a19117d24ccef99cf81c1220cfe1eff573e4845bd3f323d27ce2102bd532bd20eeddde2ff6e6ed5231c8fe95dc88124c0394fbce76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b795988f017e9a2d95cc26719f4c13ba

SHA1
0953ab47fd36734dc89ef71693b1790e387e85e6

SHA256
1f5cf8520fa55be6698251b040e78713ba5d30b5429915333302563595e8dedf

SHA512
846675dc273b3791b21100477a9dd50a12c0fb9a67e9cbcde68c87e30cedc8cc527f4b5fe1f936c4754cd00c4d885f7b608c8f24a908639ce7aa844e5843fc28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3ca8e3f4769632a978c839091e0f236a

SHA1
a1de6896274d9175ed020f79d5207f0ea860cc92

SHA256
72b7d5de4b588b78ae3a5915d28e5b53c90deeec9a70a4220507d6e5122f2b4f

SHA512
f4bb51306f8cf990af05f411d97a3435b802e82753f8dfa012e8376f881c3246a12c9ddd9e3ea39aee8009bd35da6cd82dad8600386b3b91cf681026dd78caee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b795988f017e9a2d95cc26719f4c13ba

SHA1
0953ab47fd36734dc89ef71693b1790e387e85e6

SHA256
1f5cf8520fa55be6698251b040e78713ba5d30b5429915333302563595e8dedf

SHA512
846675dc273b3791b21100477a9dd50a12c0fb9a67e9cbcde68c87e30cedc8cc527f4b5fe1f936c4754cd00c4d885f7b608c8f24a908639ce7aa844e5843fc28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e3aa39ebc2a2f840c926bfc5fe30a0f2

SHA1
6086c01d02fb2747aba145cc67e13a21e89aa043

SHA256
faf146aeeb1c93e7db28033b21cb569f48de6bf8966d1ff85fe1c3dceaa91b17

SHA512
07841840b5a86589a53512ad6b1b4670674612f1964f2c07a9705782f6edf86d5a9211ba9ed6fb56576414da6e659f62f5f9426d74b6a5afa2ab635e792f2f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
80e11e464bece50d73583de7c45e413d

SHA1
b68013491155ef987038b01bf69f95d8cc665f68

SHA256
ce0f3eeb53c7ea70568ac99290d2a06ee53c90dbf4f942b8f0cf3fd9984d7a82

SHA512
f71bbd228f518e3ee2eeeb532152e56f40231ae50740ad1cd0731794a6cb2d4c6f53cc8167255eccb1882040495726734e54b95a9e2dc7c2025c53ab173393ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e3aa39ebc2a2f840c926bfc5fe30a0f2

SHA1
6086c01d02fb2747aba145cc67e13a21e89aa043

SHA256
faf146aeeb1c93e7db28033b21cb569f48de6bf8966d1ff85fe1c3dceaa91b17

SHA512
07841840b5a86589a53512ad6b1b4670674612f1964f2c07a9705782f6edf86d5a9211ba9ed6fb56576414da6e659f62f5f9426d74b6a5afa2ab635e792f2f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
80e11e464bece50d73583de7c45e413d

SHA1
b68013491155ef987038b01bf69f95d8cc665f68

SHA256
ce0f3eeb53c7ea70568ac99290d2a06ee53c90dbf4f942b8f0cf3fd9984d7a82

SHA512
f71bbd228f518e3ee2eeeb532152e56f40231ae50740ad1cd0731794a6cb2d4c6f53cc8167255eccb1882040495726734e54b95a9e2dc7c2025c53ab173393ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9738f031ad777cca29840df7dd92d0ba

SHA1
18d38b618beee94dcaefd7ff63fb49d1edef0f89

SHA256
d66800d518eff42aa25896be03f22408e128b2d0894a3bf02dcecbe35d045d5e

SHA512
c92712ed542792ad70e261bca13cc0c5011470a98d10ef910847df2289af7a000283b60b6260894513d1c2a21a286d229fd378b121327a9cf7e0af062bcdce49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dece8851144522b140c729b7ea5e59cd

SHA1
c69c55e54b2370a0201531142a2373d1fddfddbe

SHA256
1326facf2e03cf2bf34399a61fce786ef0b1a2bd36b0f219669cbfc99615000b

SHA512
19727f921944b4114a8b8a1d7bea14a4bd6e5b262cc97879200841799f9443753bb25681c727584bfd785a0a0f27d0eb4e8e8239be35f73c126480460a46fca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bd755630b20110992c2b52fbfaa2eede

SHA1
68f030e0ffae7763660c9a27a33ed705ec74d2a6

SHA256
6be4920cd4a412da0f040dac4e6d865d3fc1f63355dba535d83c368d83bebeba

SHA512
e0c0903f6cb64f854bb6afe7af7025b5fb8ae17ddde37d30cbab84f13fb67af5197580551976f50e5be1603771108b2db8c8dfbb91abbf6e77aa1a80398c31d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bd755630b20110992c2b52fbfaa2eede

SHA1
68f030e0ffae7763660c9a27a33ed705ec74d2a6

SHA256
6be4920cd4a412da0f040dac4e6d865d3fc1f63355dba535d83c368d83bebeba

SHA512
e0c0903f6cb64f854bb6afe7af7025b5fb8ae17ddde37d30cbab84f13fb67af5197580551976f50e5be1603771108b2db8c8dfbb91abbf6e77aa1a80398c31d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
826f44b54972ad46bcb125a6f54bd802

SHA1
38d27a73714f144115bdea251971c5ee9caf4101

SHA256
210fc983bb4e097b9dc89f8766e865c28855850c489171e9a81968fac4be24a4

SHA512
85b7bf0bfc5e9b97831ad1883ebb1885dda85a8cfd92926775296be7cabba2cae408c1e2894ce9fb7a5849fd78a73a57d3134c6972cbb653e925ba332134d4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat

Filesize
217B

MD5
69855801c881593a61e46e8c4c288f09

SHA1
e47273ad40fcfebc76919cf551a678f4eb94f8dc

SHA256
040a24d7be4b38e0a3994260ee2436868a43c22ee87a6c0d5ae1b5e76f0f1b72

SHA512
cc28780b0b8e3cac42bd3204a089d7d6e09bc805a3c952b82bfc8551c0cf1ca842c96df7e1a4edc653244c392e43913564a1da9550ac08a4293d88b16128a43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat

Filesize
217B

MD5
dfb4b9d2adc8326cdb963f1e2ede4bf8

SHA1
b94b897bddc137cb413d7e18cfc266a79be57489

SHA256
e53c37c9c8026e78fc02fd84b4b9bac7cef92813c96a68252a869dc62386e8ae

SHA512
6a26a5de31ba19a5f94f6c2f2b224195d5619653e74eab94100b5f103f3c51d1cefdd248ef04d9b9918a944f67d9934e3277f0a99ca7c0e119c81b124af1e442

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/64-287-0x0000000000000000-mapping.dmp

Download
memory/948-310-0x0000000000000000-mapping.dmp

Download
memory/1216-308-0x0000000000000000-mapping.dmp

Download
memory/1408-304-0x0000000000000000-mapping.dmp

Download
memory/2096-295-0x0000000000000000-mapping.dmp

Download
memory/2460-149-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-137-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-152-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-153-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-154-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-155-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-156-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-157-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-158-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-159-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-160-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-161-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-162-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-163-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-164-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-165-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-166-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-167-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-169-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-168-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-170-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-171-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-172-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-173-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-174-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-175-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-176-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-177-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-178-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-179-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-117-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-118-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-119-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-150-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-116-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-121-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-122-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-148-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-147-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-124-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-125-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-126-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-127-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-128-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-129-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-146-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-130-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-131-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-132-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-133-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-135-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-134-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-145-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-136-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-151-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-144-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-143-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-142-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-138-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-139-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-141-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2460-140-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2492-294-0x0000000000000000-mapping.dmp

Download
memory/2580-180-0x0000000000000000-mapping.dmp

Download
memory/2580-181-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2580-182-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3160-256-0x0000000000000000-mapping.dmp

Download
memory/3684-289-0x0000000000000000-mapping.dmp

Download
memory/3916-290-0x0000000000000000-mapping.dmp

Download
memory/3988-315-0x0000000000000000-mapping.dmp

Download
memory/4192-716-0x0000000000000000-mapping.dmp

Download
memory/4228-297-0x0000000000000000-mapping.dmp

Download
memory/4304-318-0x0000000000000000-mapping.dmp

Download
memory/4376-288-0x0000000000000000-mapping.dmp

Download
memory/4376-377-0x000001E6C8A40000-0x000001E6C8AB6000-memory.dmp

Filesize
472KB

Download
memory/4400-293-0x0000000000000000-mapping.dmp

Download
memory/4656-292-0x0000000000000000-mapping.dmp

Download
memory/4656-370-0x0000018143080000-0x00000181430A2000-memory.dmp

Filesize
136KB

Download
memory/4800-299-0x0000000000000000-mapping.dmp

Download
memory/4872-291-0x0000000000000000-mapping.dmp

Download
memory/4976-282-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download
memory/4976-286-0x0000000002F10000-0x0000000002F1C000-memory.dmp

Filesize
48KB

Download
memory/4976-283-0x0000000002ED0000-0x0000000002EE2000-memory.dmp

Filesize
72KB

Download
memory/4976-285-0x0000000002EF0000-0x0000000002EFC000-memory.dmp

Filesize
48KB

Download
memory/4976-279-0x0000000000000000-mapping.dmp

Download
memory/4976-284-0x0000000002F00000-0x0000000002F0C000-memory.dmp

Filesize
48KB

Download
memory/5024-371-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

Filesize
72KB

Download
memory/5024-338-0x0000000000000000-mapping.dmp

Download
memory/5044-791-0x0000000000000000-mapping.dmp

Download
memory/5592-856-0x0000000000000000-mapping.dmp

Download
memory/5592-859-0x0000000002D70000-0x0000000002D82000-memory.dmp

Filesize
72KB

Download
memory/5724-860-0x0000000000000000-mapping.dmp

Download
memory/5780-862-0x0000000000000000-mapping.dmp

Download
memory/5812-863-0x0000000000000000-mapping.dmp

Download