dcrat | d0818da54eae24237cc257a2d2012daadf6bfe2e73cb9a146e4767a98f1fc023

Analysis

max time kernel
39s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0818da54eae24237cc257a2d2012daadf6bfe2e73cb9a146e4767a98f1fc023.exe
Size

1.3MB
MD5

78efdd0d42949725433981728d20bad6
SHA1

c9949e1bb484fb6699e52600c5476f62e37a181c
SHA256

d0818da54eae24237cc257a2d2012daadf6bfe2e73cb9a146e4767a98f1fc023
SHA512

1c84bfcd1e36181f9d62bfb1f99d7e268a73ab7504f89ffaf407157aa3d6c9401b660d6309d68c51e50458cbff3e3858bf15796365d2ac613493942f070bfdff
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	2336	schtasks.exe	49
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	2336	schtasks.exe	49

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0003000000000721-137.dat	dcrat
behavioral1/files/0x0003000000000721-138.dat	dcrat
behavioral1/memory/2732-139-0x0000000000A00000-0x0000000000B10000-memory.dmp	dcrat
behavioral1/files/0x0006000000022df3-220.dat	dcrat
behavioral1/files/0x0006000000022df3-219.dat	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	d0818da54eae24237cc257a2d2012daadf6bfe2e73cb9a146e4767a98f1fc023.exe

Executes dropped EXE 2 IoCs

pid	Process
2732	DllCommonsvc.exe
5420	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\it-IT\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\DataStore\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Music\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Music\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\Fonts\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\InputMethod\SHARED\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\InputMethod\SHARED\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\Registry.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
328	schtasks.exe
4304	schtasks.exe
3080	schtasks.exe
4708	schtasks.exe
4572	schtasks.exe
2252	schtasks.exe
1352	schtasks.exe
4240	schtasks.exe
4952	schtasks.exe
360	schtasks.exe
4808	schtasks.exe
3856	schtasks.exe
3576	schtasks.exe
3396	schtasks.exe
4736	schtasks.exe
3588	schtasks.exe
2072	schtasks.exe
3812	schtasks.exe
4452	schtasks.exe
3656	schtasks.exe
876	schtasks.exe
3760	schtasks.exe
2112	schtasks.exe
3800	schtasks.exe
1020	schtasks.exe
3864	schtasks.exe
5068	schtasks.exe
4908	schtasks.exe
1400	schtasks.exe
2220	schtasks.exe
552	schtasks.exe
2228	schtasks.exe
2812	schtasks.exe
4272	schtasks.exe
1148	schtasks.exe
5064	schtasks.exe
2380	schtasks.exe
3164	schtasks.exe
4972	schtasks.exe
5056	schtasks.exe
1544	schtasks.exe
4772	schtasks.exe
2080	schtasks.exe
3148	schtasks.exe
1984	schtasks.exe
3160	schtasks.exe
3736	schtasks.exe
2632	schtasks.exe
3604	schtasks.exe
3912	schtasks.exe
4648	schtasks.exe
224	schtasks.exe
3360	schtasks.exe
4024	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	d0818da54eae24237cc257a2d2012daadf6bfe2e73cb9a146e4767a98f1fc023.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	DllCommonsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
4092	powershell.exe
4092	powershell.exe
4904	powershell.exe
4904	powershell.exe
912	powershell.exe
912	powershell.exe
1088	powershell.exe
1088	powershell.exe
3964	powershell.exe
3964	powershell.exe
4640	powershell.exe
4640	powershell.exe
4676	powershell.exe
4676	powershell.exe
1272	powershell.exe
1272	powershell.exe
1904	powershell.exe
1904	powershell.exe
4256	powershell.exe
4256	powershell.exe
3856	powershell.exe
3856	powershell.exe
1820	powershell.exe
1820	powershell.exe
2492	powershell.exe
1312	powershell.exe
2492	powershell.exe
1312	powershell.exe
5080	powershell.exe
5080	powershell.exe
2968	powershell.exe
2968	powershell.exe
2212	powershell.exe
2212	powershell.exe
4168	powershell.exe
4168	powershell.exe
4092	powershell.exe
4092	powershell.exe
912	powershell.exe
912	powershell.exe
4904	powershell.exe
4904	powershell.exe
4640	powershell.exe
4640	powershell.exe
3964	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	DllCommonsvc.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 4372	3388	d0818da54eae24237cc257a2d2012daadf6bfe2e73cb9a146e4767a98f1fc023.exe	83
PID 3388 wrote to memory of 4372	3388	d0818da54eae24237cc257a2d2012daadf6bfe2e73cb9a146e4767a98f1fc023.exe	83
PID 3388 wrote to memory of 4372	3388	d0818da54eae24237cc257a2d2012daadf6bfe2e73cb9a146e4767a98f1fc023.exe	83
PID 4372 wrote to memory of 3368	4372	WScript.exe	86
PID 4372 wrote to memory of 3368	4372	WScript.exe	86
PID 4372 wrote to memory of 3368	4372	WScript.exe	86
PID 3368 wrote to memory of 2732	3368	cmd.exe	88
PID 3368 wrote to memory of 2732	3368	cmd.exe	88
PID 2732 wrote to memory of 4092	2732	DllCommonsvc.exe	146
PID 2732 wrote to memory of 4092	2732	DllCommonsvc.exe	146
PID 2732 wrote to memory of 4904	2732	DllCommonsvc.exe	147
PID 2732 wrote to memory of 4904	2732	DllCommonsvc.exe	147
PID 2732 wrote to memory of 912	2732	DllCommonsvc.exe	148
PID 2732 wrote to memory of 912	2732	DllCommonsvc.exe	148
PID 2732 wrote to memory of 2752	2732	DllCommonsvc.exe	149
PID 2732 wrote to memory of 2752	2732	DllCommonsvc.exe	149
PID 2732 wrote to memory of 3964	2732	DllCommonsvc.exe	150
PID 2732 wrote to memory of 3964	2732	DllCommonsvc.exe	150
PID 2732 wrote to memory of 4640	2732	DllCommonsvc.exe	151
PID 2732 wrote to memory of 4640	2732	DllCommonsvc.exe	151
PID 2732 wrote to memory of 1088	2732	DllCommonsvc.exe	152
PID 2732 wrote to memory of 1088	2732	DllCommonsvc.exe	152
PID 2732 wrote to memory of 4676	2732	DllCommonsvc.exe	153
PID 2732 wrote to memory of 4676	2732	DllCommonsvc.exe	153
PID 2732 wrote to memory of 1272	2732	DllCommonsvc.exe	154
PID 2732 wrote to memory of 1272	2732	DllCommonsvc.exe	154
PID 2732 wrote to memory of 1904	2732	DllCommonsvc.exe	163
PID 2732 wrote to memory of 1904	2732	DllCommonsvc.exe	163
PID 2732 wrote to memory of 4256	2732	DllCommonsvc.exe	162
PID 2732 wrote to memory of 4256	2732	DllCommonsvc.exe	162
PID 2732 wrote to memory of 3856	2732	DllCommonsvc.exe	157
PID 2732 wrote to memory of 3856	2732	DllCommonsvc.exe	157
PID 2732 wrote to memory of 1820	2732	DllCommonsvc.exe	158
PID 2732 wrote to memory of 1820	2732	DllCommonsvc.exe	158
PID 2732 wrote to memory of 5080	2732	DllCommonsvc.exe	168
PID 2732 wrote to memory of 5080	2732	DllCommonsvc.exe	168
PID 2732 wrote to memory of 2492	2732	DllCommonsvc.exe	174
PID 2732 wrote to memory of 2492	2732	DllCommonsvc.exe	174
PID 2732 wrote to memory of 1312	2732	DllCommonsvc.exe	170
PID 2732 wrote to memory of 1312	2732	DllCommonsvc.exe	170
PID 2732 wrote to memory of 2968	2732	DllCommonsvc.exe	178
PID 2732 wrote to memory of 2968	2732	DllCommonsvc.exe	178
PID 2732 wrote to memory of 4168	2732	DllCommonsvc.exe	179
PID 2732 wrote to memory of 4168	2732	DllCommonsvc.exe	179
PID 2732 wrote to memory of 2212	2732	DllCommonsvc.exe	180
PID 2732 wrote to memory of 2212	2732	DllCommonsvc.exe	180
PID 2732 wrote to memory of 4840	2732	DllCommonsvc.exe	186
PID 2732 wrote to memory of 4840	2732	DllCommonsvc.exe	186
PID 4840 wrote to memory of 5912	4840	cmd.exe	188
PID 4840 wrote to memory of 5912	4840	cmd.exe	188
PID 4840 wrote to memory of 5420	4840	cmd.exe	190
PID 4840 wrote to memory of 5420	4840	cmd.exe	190

C:\Users\Admin\AppData\Local\Temp\d0818da54eae24237cc257a2d2012daadf6bfe2e73cb9a146e4767a98f1fc023.exe
"C:\Users\Admin\AppData\Local\Temp\d0818da54eae24237cc257a2d2012daadf6bfe2e73cb9a146e4767a98f1fc023.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Music\WmiPrvSE.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        
        PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\SearchApp.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\InputMethod\SHARED\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\Registry.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GCz4Ehy5lY.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4840
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5912
      - C:\Users\Public\Desktop\smss.exe
        
        "C:\Users\Public\Desktop\smss.exe"
        6⤵
        Executes dropped EXE
        
        PID:5420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
        7⤵
        
        PID:5748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\LocalService\Music\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Music\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\LocalService\Music\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Favorites\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Favorites\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Fonts\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\InputMethod\SHARED\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\InputMethod\SHARED\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\WinSAT\DataStore\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
101c3b86ef1c02c62b7d862c2a47363b

SHA1
3c5e8d309610e5ba41b6b9788bfb826e45864b46

SHA256
9174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c

SHA512
d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
101c3b86ef1c02c62b7d862c2a47363b

SHA1
3c5e8d309610e5ba41b6b9788bfb826e45864b46

SHA256
9174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c

SHA512
d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat

Filesize
197B

MD5
7ad1898d0e082457b9bf653f3ed0af92

SHA1
e95feb98df72cbf32f1ab98ce0f41efb3698a767

SHA256
6498bb82041c8a85c2713c17fe662796874a5619c200aac7f85f3552e2256daf

SHA512
8a5e9f3f7fd2d0eba2eb62126a05e92ecdfc901baf65d063cf5cb369e78ab1f889ff4ce72630bfed4ed236a94e7d7ed7d8813f0b20528a2d9e542a7dc9b16a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCz4Ehy5lY.bat

Filesize
197B

MD5
469bd102e92fa39a215b2e392e08e2a6

SHA1
ecd88731df54af7d05afa3fd920c304730d5e26e

SHA256
c72c594c901a108282cf6149117acc5edd6f84767499f6ecdb6d3549d2f0288e

SHA512
aeb421fa9c231a9e3bd85c3e3e8fab729fd82181db4076fcc485dcbb55d59279f46b6621aa947c4f8525cb55c3af93e5c239e39a8db6c08ebb67bdb3816cdcc1

Download Submit
C:\Users\Public\Desktop\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Desktop\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/912-186-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/912-164-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/1088-193-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/1088-168-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/1272-170-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/1272-198-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/1312-213-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/1312-176-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/1820-214-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/1820-175-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/1904-171-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/1904-199-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/2212-182-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/2212-218-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/2492-208-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/2492-181-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/2732-166-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/2732-140-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/2732-139-0x0000000000A00000-0x0000000000B10000-memory.dmp

Filesize
1.1MB

Download
memory/2968-209-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/2968-177-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/3856-174-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/3856-197-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/3964-196-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/3964-165-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4092-160-0x000002ED61630000-0x000002ED61652000-memory.dmp

Filesize
136KB

Download
memory/4092-161-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4092-185-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4168-216-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4168-178-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4256-206-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4256-172-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4640-167-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4640-202-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4676-169-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4676-200-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4904-187-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4904-162-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/5080-207-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/5080-180-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/5420-221-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/5420-223-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download