dcrat | 1a0f5dcc4e57278f186d686e26eb4f084891ea78880e65dec1cdfafe877dbf56

Analysis

max time kernel
146s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
03/02/2023, 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a0f5dcc4e57278f186d686e26eb4f084891ea78880e65dec1cdfafe877dbf56.exe
Size

1.3MB
MD5

c18810c18d1f623b74e82019d7181fd9
SHA1

c8164cb1553388dbea396f9faa15dc6b07f62c18
SHA256

1a0f5dcc4e57278f186d686e26eb4f084891ea78880e65dec1cdfafe877dbf56
SHA512

dad7f6777de9ddc55899c3f9fcf653faf2862c2e103cbf0ecc108e0de0d2da12d1c890b98614602302466bf1cbcd68dc1279d7bafe7f8e8c9390b32a02fd3a60
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	192	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	4092	schtasks.exe	70

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001abf3-279.dat	dcrat
behavioral1/files/0x000800000001abf3-280.dat	dcrat
behavioral1/memory/4068-281-0x0000000000950000-0x0000000000A60000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac22-363.dat	dcrat
behavioral1/files/0x000600000001ac22-361.dat	dcrat

Executes dropped EXE 2 IoCs

pid	Process
4068	DllCommonsvc.exe
2796	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GroupPolicy\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\GroupPolicy\886983d96e3d3e	DllCommonsvc.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\6203df4a6bafc7	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ELAMBKUP\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Windows\INF\smss.exe	DllCommonsvc.exe
File created	C:\Windows\INF\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\ELAMBKUP\OfficeClickToRun.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
764	schtasks.exe
4444	schtasks.exe
4168	schtasks.exe
5024	schtasks.exe
3688	schtasks.exe
588	schtasks.exe
740	schtasks.exe
3312	schtasks.exe
5004	schtasks.exe
4292	schtasks.exe
1872	schtasks.exe
4744	schtasks.exe
1080	schtasks.exe
4712	schtasks.exe
224	schtasks.exe
3708	schtasks.exe
392	schtasks.exe
192	schtasks.exe
4636	schtasks.exe
4692	schtasks.exe
1836	schtasks.exe
1440	schtasks.exe
1896	schtasks.exe
4616	schtasks.exe
4576	schtasks.exe
920	schtasks.exe
1136	schtasks.exe
1256	schtasks.exe
2128	schtasks.exe
4376	schtasks.exe
4496	schtasks.exe
1504	schtasks.exe
668	schtasks.exe
32	schtasks.exe
3184	schtasks.exe
4460	schtasks.exe
4596	schtasks.exe
4536	schtasks.exe
4584	schtasks.exe
1644	schtasks.exe
2304	schtasks.exe
1780	schtasks.exe
4628	schtasks.exe
3056	schtasks.exe
5116	schtasks.exe
2768	schtasks.exe
4724	schtasks.exe
4736	schtasks.exe
704	schtasks.exe
1920	schtasks.exe
824	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	1a0f5dcc4e57278f186d686e26eb4f084891ea78880e65dec1cdfafe877dbf56.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
4068	DllCommonsvc.exe
2848	powershell.exe
2848	powershell.exe
2100	powershell.exe
2100	powershell.exe
2404	powershell.exe
2404	powershell.exe
3800	powershell.exe
3800	powershell.exe
3828	powershell.exe
3828	powershell.exe
2400	powershell.exe
2400	powershell.exe
3988	powershell.exe
3988	powershell.exe
3980	powershell.exe
3980	powershell.exe
3512	powershell.exe
3512	powershell.exe
3600	powershell.exe
3600	powershell.exe
4864	powershell.exe
4864	powershell.exe
2152	powershell.exe
2152	powershell.exe
64	powershell.exe
64	powershell.exe
1592	powershell.exe
1592	powershell.exe
2100	powershell.exe
3484	powershell.exe
3484	powershell.exe
3800	powershell.exe
2920	powershell.exe
2920	powershell.exe
3328	powershell.exe
3328	powershell.exe
3988	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2796	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4068	DllCommonsvc.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2796	dllhost.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeIncreaseQuotaPrivilege	2100	powershell.exe
Token: SeSecurityPrivilege	2100	powershell.exe
Token: SeTakeOwnershipPrivilege	2100	powershell.exe
Token: SeLoadDriverPrivilege	2100	powershell.exe
Token: SeSystemProfilePrivilege	2100	powershell.exe
Token: SeSystemtimePrivilege	2100	powershell.exe
Token: SeProfSingleProcessPrivilege	2100	powershell.exe
Token: SeIncBasePriorityPrivilege	2100	powershell.exe
Token: SeCreatePagefilePrivilege	2100	powershell.exe
Token: SeBackupPrivilege	2100	powershell.exe
Token: SeRestorePrivilege	2100	powershell.exe
Token: SeShutdownPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeSystemEnvironmentPrivilege	2100	powershell.exe
Token: SeRemoteShutdownPrivilege	2100	powershell.exe
Token: SeUndockPrivilege	2100	powershell.exe
Token: SeManageVolumePrivilege	2100	powershell.exe
Token: 33	2100	powershell.exe
Token: 34	2100	powershell.exe
Token: 35	2100	powershell.exe
Token: 36	2100	powershell.exe
Token: SeIncreaseQuotaPrivilege	3988	powershell.exe
Token: SeSecurityPrivilege	3988	powershell.exe
Token: SeTakeOwnershipPrivilege	3988	powershell.exe
Token: SeLoadDriverPrivilege	3988	powershell.exe
Token: SeSystemProfilePrivilege	3988	powershell.exe
Token: SeSystemtimePrivilege	3988	powershell.exe
Token: SeProfSingleProcessPrivilege	3988	powershell.exe
Token: SeIncBasePriorityPrivilege	3988	powershell.exe
Token: SeCreatePagefilePrivilege	3988	powershell.exe
Token: SeBackupPrivilege	3988	powershell.exe
Token: SeRestorePrivilege	3988	powershell.exe
Token: SeShutdownPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeSystemEnvironmentPrivilege	3988	powershell.exe
Token: SeRemoteShutdownPrivilege	3988	powershell.exe
Token: SeUndockPrivilege	3988	powershell.exe
Token: SeManageVolumePrivilege	3988	powershell.exe
Token: 33	3988	powershell.exe
Token: 34	3988	powershell.exe
Token: 35	3988	powershell.exe
Token: 36	3988	powershell.exe
Token: SeIncreaseQuotaPrivilege	1592	powershell.exe
Token: SeSecurityPrivilege	1592	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 4940	2708	1a0f5dcc4e57278f186d686e26eb4f084891ea78880e65dec1cdfafe877dbf56.exe	66
PID 2708 wrote to memory of 4940	2708	1a0f5dcc4e57278f186d686e26eb4f084891ea78880e65dec1cdfafe877dbf56.exe	66
PID 2708 wrote to memory of 4940	2708	1a0f5dcc4e57278f186d686e26eb4f084891ea78880e65dec1cdfafe877dbf56.exe	66
PID 4940 wrote to memory of 4224	4940	WScript.exe	67
PID 4940 wrote to memory of 4224	4940	WScript.exe	67
PID 4940 wrote to memory of 4224	4940	WScript.exe	67
PID 4224 wrote to memory of 4068	4224	cmd.exe	69
PID 4224 wrote to memory of 4068	4224	cmd.exe	69
PID 4068 wrote to memory of 2100	4068	DllCommonsvc.exe	122
PID 4068 wrote to memory of 2100	4068	DllCommonsvc.exe	122
PID 4068 wrote to memory of 2848	4068	DllCommonsvc.exe	124
PID 4068 wrote to memory of 2848	4068	DllCommonsvc.exe	124
PID 4068 wrote to memory of 2404	4068	DllCommonsvc.exe	126
PID 4068 wrote to memory of 2404	4068	DllCommonsvc.exe	126
PID 4068 wrote to memory of 3800	4068	DllCommonsvc.exe	128
PID 4068 wrote to memory of 3800	4068	DllCommonsvc.exe	128
PID 4068 wrote to memory of 2400	4068	DllCommonsvc.exe	130
PID 4068 wrote to memory of 2400	4068	DllCommonsvc.exe	130
PID 4068 wrote to memory of 3828	4068	DllCommonsvc.exe	132
PID 4068 wrote to memory of 3828	4068	DllCommonsvc.exe	132
PID 4068 wrote to memory of 3512	4068	DllCommonsvc.exe	136
PID 4068 wrote to memory of 3512	4068	DllCommonsvc.exe	136
PID 4068 wrote to memory of 3988	4068	DllCommonsvc.exe	135
PID 4068 wrote to memory of 3988	4068	DllCommonsvc.exe	135
PID 4068 wrote to memory of 3980	4068	DllCommonsvc.exe	138
PID 4068 wrote to memory of 3980	4068	DllCommonsvc.exe	138
PID 4068 wrote to memory of 3600	4068	DllCommonsvc.exe	139
PID 4068 wrote to memory of 3600	4068	DllCommonsvc.exe	139
PID 4068 wrote to memory of 2152	4068	DllCommonsvc.exe	140
PID 4068 wrote to memory of 2152	4068	DllCommonsvc.exe	140
PID 4068 wrote to memory of 4864	4068	DllCommonsvc.exe	142
PID 4068 wrote to memory of 4864	4068	DllCommonsvc.exe	142
PID 4068 wrote to memory of 64	4068	DllCommonsvc.exe	143
PID 4068 wrote to memory of 64	4068	DllCommonsvc.exe	143
PID 4068 wrote to memory of 1592	4068	DllCommonsvc.exe	146
PID 4068 wrote to memory of 1592	4068	DllCommonsvc.exe	146
PID 4068 wrote to memory of 3484	4068	DllCommonsvc.exe	147
PID 4068 wrote to memory of 3484	4068	DllCommonsvc.exe	147
PID 4068 wrote to memory of 2920	4068	DllCommonsvc.exe	148
PID 4068 wrote to memory of 2920	4068	DllCommonsvc.exe	148
PID 4068 wrote to memory of 3328	4068	DllCommonsvc.exe	149
PID 4068 wrote to memory of 3328	4068	DllCommonsvc.exe	149
PID 4068 wrote to memory of 4264	4068	DllCommonsvc.exe	153
PID 4068 wrote to memory of 4264	4068	DllCommonsvc.exe	153
PID 4068 wrote to memory of 2796	4068	DllCommonsvc.exe	158
PID 4068 wrote to memory of 2796	4068	DllCommonsvc.exe	158

C:\Users\Admin\AppData\Local\Temp\1a0f5dcc4e57278f186d686e26eb4f084891ea78880e65dec1cdfafe877dbf56.exe
"C:\Users\Admin\AppData\Local\Temp\1a0f5dcc4e57278f186d686e26eb4f084891ea78880e65dec1cdfafe877dbf56.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:64
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\GroupPolicy\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ELAMBKUP\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
    - - C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\INF\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\INF\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\INF\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\GroupPolicy\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SysWOW64\GroupPolicy\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\SysWOW64\GroupPolicy\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\ELAMBKUP\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\ELAMBKUP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Windows\ELAMBKUP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9d1c4e537c724d6950676d4c2a723084

SHA1
80251587dcae7f7cadf29f92567a5cb3b9d140a8

SHA256
c8f4a331e6dfbf1ca23ef04d078bba57843a0e13d80a5c57b9b6783186488871

SHA512
78f1522541a62cc83ff10e16e810face8c34fad6ad7da392fc52eff7edea51984b441d5f889da1e322a453cf38aeb33064609b3822bdf8e90eadbd78bd5be49e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9d1c4e537c724d6950676d4c2a723084

SHA1
80251587dcae7f7cadf29f92567a5cb3b9d140a8

SHA256
c8f4a331e6dfbf1ca23ef04d078bba57843a0e13d80a5c57b9b6783186488871

SHA512
78f1522541a62cc83ff10e16e810face8c34fad6ad7da392fc52eff7edea51984b441d5f889da1e322a453cf38aeb33064609b3822bdf8e90eadbd78bd5be49e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
81cabd8f3d4314a3845b469c34e3470d

SHA1
dba95d59050661ba208a5100207e32498e07954b

SHA256
9b1757f539bbbe0f66070b6302a018c79e8c572dfe35c51743a40d3da6bd790e

SHA512
3e2d3b35908fff4ace2e050290913e5eacd6985ced7c4cfa4565d946ab3aa48f6b65dcef59a7558d9939601bc38cbc988a58f9987a22ff48974b0591985fcfdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e3dcab6187f52aaa8f47e6f4abd301b

SHA1
8d168210db6c4dbc2558463b3682f24034ec0ad8

SHA256
c9709d87f802ded514d0e0660b0924c5a89a6d2a6ff8efd2c7eb6fe441d83480

SHA512
36771e2b958d56ab99fb4028235f0936d41f7ea183285c01641cacd8d268fd7ced280bb32bdf3bee430ecc2abf7e5a0e4a8a5314f7e0162ab1166a105e2ce9c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e3dcab6187f52aaa8f47e6f4abd301b

SHA1
8d168210db6c4dbc2558463b3682f24034ec0ad8

SHA256
c9709d87f802ded514d0e0660b0924c5a89a6d2a6ff8efd2c7eb6fe441d83480

SHA512
36771e2b958d56ab99fb4028235f0936d41f7ea183285c01641cacd8d268fd7ced280bb32bdf3bee430ecc2abf7e5a0e4a8a5314f7e0162ab1166a105e2ce9c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
751db713a6535134a39f0d530c3b342a

SHA1
0af3fca5a235915418ae646d0b827e2685b880b7

SHA256
9e4f57279aa8531e11dda0a70199bbd2575fabeb2884d09033171301370730c7

SHA512
001337514e815681ef19a6dd3c7a82a1582267a603581dbd0940209143fa03a1271a2efde6f192b36fb0c6cae193b9c2534211c8d2cb1a305c76f9ef9faaf91e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
09e8b8f8c3ecac1fa6eb89f64a169e06

SHA1
abf0e14fab8f0ed908cc43bbc980f35793255739

SHA256
e4009f6a82cd5b9911b5910dbef81e436f9302d1232e9a866bf35b97340eff16

SHA512
b4e9c28a232b26fde174cacd5810bf8f496ba7cef32b83434a7d00532aae7c2deb99ec6ce9a44e52b13ccb9987978eabefc1c5d0a48ff12a00aaa55e6ea11b3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ba80830265fa3367fde4c18edb2f16c9

SHA1
b24b9e9a4c19227a7ac3f9351cd34d28f25497cb

SHA256
51b72551b61b6161fc075515f6678847838e2531f8452fcd628a7b63979c688b

SHA512
c5f3763b340b9b074cd9b89cd66fa96e2c1e1073c2746e65908a2657b0ea42b39d9218c466f9e150c659ff564a644872970d4418fb721cee76b2cbc6fa6dae6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ba80830265fa3367fde4c18edb2f16c9

SHA1
b24b9e9a4c19227a7ac3f9351cd34d28f25497cb

SHA256
51b72551b61b6161fc075515f6678847838e2531f8452fcd628a7b63979c688b

SHA512
c5f3763b340b9b074cd9b89cd66fa96e2c1e1073c2746e65908a2657b0ea42b39d9218c466f9e150c659ff564a644872970d4418fb721cee76b2cbc6fa6dae6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fad8934fb04fa08bbbbc7fbfec8b5bab

SHA1
6fe89d2180ef335b411128f201fd4047fc0db92f

SHA256
67f41ed9ec61533198cf7d9cabc68b3efcbbf54e58a706c38dff0020adbfd9d5

SHA512
1114453a3dd3f96e0fc237f8817e39eba095fc5a073b7a6f101f9d16bc0c8f0a1ecf2f55bc660ace7d2344d17de5105dce5ef84014c0c289db6b09c905304596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fad8934fb04fa08bbbbc7fbfec8b5bab

SHA1
6fe89d2180ef335b411128f201fd4047fc0db92f

SHA256
67f41ed9ec61533198cf7d9cabc68b3efcbbf54e58a706c38dff0020adbfd9d5

SHA512
1114453a3dd3f96e0fc237f8817e39eba095fc5a073b7a6f101f9d16bc0c8f0a1ecf2f55bc660ace7d2344d17de5105dce5ef84014c0c289db6b09c905304596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f5a1909043aeb1facf0e2a48f5bdf045

SHA1
3621ebcbbf836d96cd537a23834b54a0469ec0cf

SHA256
ceef8562dd2a292d89f5b9a606b929b442a0a7b76ea1891651a22ded502f5d2b

SHA512
ca9b15940943ba91a4c918c8b49d6899d69882d5b0137166191f63a063828757893461b530d17fc527d860a8691292353856c935198662cd021353ae4e5fe198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f5a1909043aeb1facf0e2a48f5bdf045

SHA1
3621ebcbbf836d96cd537a23834b54a0469ec0cf

SHA256
ceef8562dd2a292d89f5b9a606b929b442a0a7b76ea1891651a22ded502f5d2b

SHA512
ca9b15940943ba91a4c918c8b49d6899d69882d5b0137166191f63a063828757893461b530d17fc527d860a8691292353856c935198662cd021353ae4e5fe198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f5a1909043aeb1facf0e2a48f5bdf045

SHA1
3621ebcbbf836d96cd537a23834b54a0469ec0cf

SHA256
ceef8562dd2a292d89f5b9a606b929b442a0a7b76ea1891651a22ded502f5d2b

SHA512
ca9b15940943ba91a4c918c8b49d6899d69882d5b0137166191f63a063828757893461b530d17fc527d860a8691292353856c935198662cd021353ae4e5fe198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6cea654ac65cf8cae44212a2a7cc4556

SHA1
e86a175a9fd03a6149bc3a8cd44dcea9802082d2

SHA256
3773f95d29e326e000d309bf680f9e6bf37fa260cb41a74683a17db30198432d

SHA512
eaa401ea228a4535efa4c1c71a8903c4072c03569798612c0f5f722504c515b743958b00a51e8e3c8174220213416ad5ac861c141725353cbf2023f6e5b16954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
abffecea0f46d01c938cca6cb44e855b

SHA1
fd38aae6f3d4f269b95ad4976109de934b5084c9

SHA256
127ee0260a8e063c0de7d6b105498abce681f8e1e44e2d146356c896ad6f39d0

SHA512
9eb04d4ec78005573015775e60949fcfbf13cbb774fa832ae10f3c98c181cf2e0be0cb971b179753d82e385e8f5a9a6363b5a11120ef776570986ffa5b50ccfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e9b755b860cfe0c358bb582839241a2b

SHA1
8e8e74073a95d7f5f37a5cb1ba486ec8f527b549

SHA256
818138f5bc9aad18128f427e930c1d77514b5327a778365b96a5ad6405d5fe22

SHA512
7ca070acb797f55feef5881d8b880f5c0bfe42767a12c4b9332702781bbba36361d8a326588d2fe777b921814c978aff33e8a9c4be35f37671847739c1bee582

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2100-404-0x0000020CAEE20000-0x0000020CAEE96000-memory.dmp

Filesize
472KB

Download
memory/2708-175-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-137-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-150-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-151-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-152-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-153-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-154-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-155-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-156-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-157-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-158-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-159-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-160-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-161-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-162-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-163-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-164-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-165-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-166-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-167-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-168-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-169-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-170-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-171-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-172-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-173-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-174-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-115-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-176-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-177-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-178-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-116-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-117-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-118-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-147-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-148-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-120-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-146-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-121-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-145-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-123-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-124-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-125-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-126-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-127-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-144-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-128-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-143-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-129-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-142-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-130-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-131-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-132-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-133-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-134-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-141-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-135-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-136-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-149-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-138-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-139-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-140-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2848-395-0x000002AE73AD0000-0x000002AE73AF2000-memory.dmp

Filesize
136KB

Download
memory/4068-281-0x0000000000950000-0x0000000000A60000-memory.dmp

Filesize
1.1MB

Download
memory/4068-285-0x0000000001110000-0x000000000111C000-memory.dmp

Filesize
48KB

Download
memory/4068-284-0x0000000001100000-0x000000000110C000-memory.dmp

Filesize
48KB

Download
memory/4068-283-0x00000000010F0000-0x00000000010FC000-memory.dmp

Filesize
48KB

Download
memory/4068-282-0x00000000010E0000-0x00000000010F2000-memory.dmp

Filesize
72KB

Download
memory/4940-181-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/4940-180-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download