dcrat | 6eb71b177afb2deed43aafd7218e9429151b9f8bc8520c5530457aab3c1a8c9d

Analysis

max time kernel
148s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
03/02/2023, 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6eb71b177afb2deed43aafd7218e9429151b9f8bc8520c5530457aab3c1a8c9d.exe
Size

1.3MB
MD5

023e399574f2e82cfdf23ed76db9f0de
SHA1

700310b051aee3d860bd8a6e96fd8b3bf89e735b
SHA256

6eb71b177afb2deed43aafd7218e9429151b9f8bc8520c5530457aab3c1a8c9d
SHA512

1efb4c12866614d53bdba010520ce9e7860c4ff329f301a5bb3c241a927ff20c048d02ea27c97d896fe0c5e3ddee17fb144bc4fb48ed1eb5c43c4ce2f4465599
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	492	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	4584	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	4584	schtasks.exe	70

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac56-280.dat	dcrat
behavioral1/files/0x000800000001ac56-281.dat	dcrat
behavioral1/memory/2764-282-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac63-796.dat	dcrat
behavioral1/files/0x000600000001ac63-794.dat	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2764	DllCommonsvc.exe
4768	sihost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\f8c8f1285d826b	DllCommonsvc.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\0a1fd5f707cd16	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\f8c8f1285d826b	DllCommonsvc.exe
File created	C:\Windows\rescache\_merged\2689570973\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\diagnostics\index\dwm.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
416	schtasks.exe
4800	schtasks.exe
4776	schtasks.exe
1080	schtasks.exe
812	schtasks.exe
1804	schtasks.exe
492	schtasks.exe
3608	schtasks.exe
4968	schtasks.exe
744	schtasks.exe
1400	schtasks.exe
1636	schtasks.exe
216	schtasks.exe
220	schtasks.exe
4988	schtasks.exe
1696	schtasks.exe
304	schtasks.exe
2316	schtasks.exe
2412	schtasks.exe
4960	schtasks.exe
4880	schtasks.exe
1132	schtasks.exe
32	schtasks.exe
4452	schtasks.exe
4904	schtasks.exe
4804	schtasks.exe
1928	schtasks.exe
1236	schtasks.exe
428	schtasks.exe
2864	schtasks.exe
4980	schtasks.exe
4848	schtasks.exe
4748	schtasks.exe
1428	schtasks.exe
4608	schtasks.exe
4856	schtasks.exe
1228	schtasks.exe
1948	schtasks.exe
4544	schtasks.exe
4548	schtasks.exe
4892	schtasks.exe
3920	schtasks.exe
660	schtasks.exe
400	schtasks.exe
4620	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	6eb71b177afb2deed43aafd7218e9429151b9f8bc8520c5530457aab3c1a8c9d.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2440	powershell.exe
2440	powershell.exe
692	powershell.exe
692	powershell.exe
3048	powershell.exe
3048	powershell.exe
340	powershell.exe
340	powershell.exe
1824	powershell.exe
1824	powershell.exe
2636	powershell.exe
2636	powershell.exe
2648	powershell.exe
2648	powershell.exe
3832	powershell.exe
3832	powershell.exe
5036	powershell.exe
5036	powershell.exe
5092	powershell.exe
5092	powershell.exe
1568	powershell.exe
1568	powershell.exe
2636	powershell.exe
3908	powershell.exe
3908	powershell.exe
3832	powershell.exe
4504	powershell.exe
4504	powershell.exe
3676	powershell.exe
3676	powershell.exe
4524	powershell.exe
4524	powershell.exe
1568	powershell.exe
4652	powershell.exe
4652	powershell.exe
3676	powershell.exe
3832	powershell.exe
340	powershell.exe
1824	powershell.exe
2636	powershell.exe
2440	powershell.exe
2440	powershell.exe
692	powershell.exe
692	powershell.exe
3048	powershell.exe
3048	powershell.exe
2648	powershell.exe
5036	powershell.exe
1568	powershell.exe
5092	powershell.exe
3676	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4768	sihost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	DllCommonsvc.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeIncreaseQuotaPrivilege	2636	powershell.exe
Token: SeSecurityPrivilege	2636	powershell.exe
Token: SeTakeOwnershipPrivilege	2636	powershell.exe
Token: SeLoadDriverPrivilege	2636	powershell.exe
Token: SeSystemProfilePrivilege	2636	powershell.exe
Token: SeSystemtimePrivilege	2636	powershell.exe
Token: SeProfSingleProcessPrivilege	2636	powershell.exe
Token: SeIncBasePriorityPrivilege	2636	powershell.exe
Token: SeCreatePagefilePrivilege	2636	powershell.exe
Token: SeBackupPrivilege	2636	powershell.exe
Token: SeRestorePrivilege	2636	powershell.exe
Token: SeShutdownPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeSystemEnvironmentPrivilege	2636	powershell.exe
Token: SeRemoteShutdownPrivilege	2636	powershell.exe
Token: SeUndockPrivilege	2636	powershell.exe
Token: SeManageVolumePrivilege	2636	powershell.exe
Token: 33	2636	powershell.exe
Token: 34	2636	powershell.exe
Token: 35	2636	powershell.exe
Token: 36	2636	powershell.exe
Token: SeIncreaseQuotaPrivilege	3832	powershell.exe
Token: SeSecurityPrivilege	3832	powershell.exe
Token: SeTakeOwnershipPrivilege	3832	powershell.exe
Token: SeLoadDriverPrivilege	3832	powershell.exe
Token: SeSystemProfilePrivilege	3832	powershell.exe
Token: SeSystemtimePrivilege	3832	powershell.exe
Token: SeProfSingleProcessPrivilege	3832	powershell.exe
Token: SeIncBasePriorityPrivilege	3832	powershell.exe
Token: SeCreatePagefilePrivilege	3832	powershell.exe
Token: SeBackupPrivilege	3832	powershell.exe
Token: SeRestorePrivilege	3832	powershell.exe
Token: SeShutdownPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeSystemEnvironmentPrivilege	3832	powershell.exe
Token: SeRemoteShutdownPrivilege	3832	powershell.exe
Token: SeUndockPrivilege	3832	powershell.exe
Token: SeManageVolumePrivilege	3832	powershell.exe
Token: 33	3832	powershell.exe
Token: 34	3832	powershell.exe
Token: 35	3832	powershell.exe
Token: 36	3832	powershell.exe
Token: SeIncreaseQuotaPrivilege	1568	powershell.exe
Token: SeSecurityPrivilege	1568	powershell.exe
Token: SeTakeOwnershipPrivilege	1568	powershell.exe
Token: SeLoadDriverPrivilege	1568	powershell.exe
Token: SeSystemProfilePrivilege	1568	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 4252	3828	6eb71b177afb2deed43aafd7218e9429151b9f8bc8520c5530457aab3c1a8c9d.exe	66
PID 3828 wrote to memory of 4252	3828	6eb71b177afb2deed43aafd7218e9429151b9f8bc8520c5530457aab3c1a8c9d.exe	66
PID 3828 wrote to memory of 4252	3828	6eb71b177afb2deed43aafd7218e9429151b9f8bc8520c5530457aab3c1a8c9d.exe	66
PID 4252 wrote to memory of 3560	4252	WScript.exe	67
PID 4252 wrote to memory of 3560	4252	WScript.exe	67
PID 4252 wrote to memory of 3560	4252	WScript.exe	67
PID 3560 wrote to memory of 2764	3560	cmd.exe	69
PID 3560 wrote to memory of 2764	3560	cmd.exe	69
PID 2764 wrote to memory of 2440	2764	DllCommonsvc.exe	116
PID 2764 wrote to memory of 2440	2764	DllCommonsvc.exe	116
PID 2764 wrote to memory of 692	2764	DllCommonsvc.exe	117
PID 2764 wrote to memory of 692	2764	DllCommonsvc.exe	117
PID 2764 wrote to memory of 340	2764	DllCommonsvc.exe	118
PID 2764 wrote to memory of 340	2764	DllCommonsvc.exe	118
PID 2764 wrote to memory of 1824	2764	DllCommonsvc.exe	120
PID 2764 wrote to memory of 1824	2764	DllCommonsvc.exe	120
PID 2764 wrote to memory of 3048	2764	DllCommonsvc.exe	122
PID 2764 wrote to memory of 3048	2764	DllCommonsvc.exe	122
PID 2764 wrote to memory of 2636	2764	DllCommonsvc.exe	124
PID 2764 wrote to memory of 2636	2764	DllCommonsvc.exe	124
PID 2764 wrote to memory of 2648	2764	DllCommonsvc.exe	126
PID 2764 wrote to memory of 2648	2764	DllCommonsvc.exe	126
PID 2764 wrote to memory of 3832	2764	DllCommonsvc.exe	128
PID 2764 wrote to memory of 3832	2764	DllCommonsvc.exe	128
PID 2764 wrote to memory of 5036	2764	DllCommonsvc.exe	130
PID 2764 wrote to memory of 5036	2764	DllCommonsvc.exe	130
PID 2764 wrote to memory of 5092	2764	DllCommonsvc.exe	133
PID 2764 wrote to memory of 5092	2764	DllCommonsvc.exe	133
PID 2764 wrote to memory of 1568	2764	DllCommonsvc.exe	134
PID 2764 wrote to memory of 1568	2764	DllCommonsvc.exe	134
PID 2764 wrote to memory of 3908	2764	DllCommonsvc.exe	137
PID 2764 wrote to memory of 3908	2764	DllCommonsvc.exe	137
PID 2764 wrote to memory of 3676	2764	DllCommonsvc.exe	138
PID 2764 wrote to memory of 3676	2764	DllCommonsvc.exe	138
PID 2764 wrote to memory of 4504	2764	DllCommonsvc.exe	139
PID 2764 wrote to memory of 4504	2764	DllCommonsvc.exe	139
PID 2764 wrote to memory of 4524	2764	DllCommonsvc.exe	140
PID 2764 wrote to memory of 4524	2764	DllCommonsvc.exe	140
PID 2764 wrote to memory of 4652	2764	DllCommonsvc.exe	141
PID 2764 wrote to memory of 4652	2764	DllCommonsvc.exe	141
PID 2764 wrote to memory of 4896	2764	DllCommonsvc.exe	148
PID 2764 wrote to memory of 4896	2764	DllCommonsvc.exe	148
PID 4896 wrote to memory of 760	4896	cmd.exe	150
PID 4896 wrote to memory of 760	4896	cmd.exe	150
PID 4896 wrote to memory of 4768	4896	cmd.exe	152
PID 4896 wrote to memory of 4768	4896	cmd.exe	152

C:\Users\Admin\AppData\Local\Temp\6eb71b177afb2deed43aafd7218e9429151b9f8bc8520c5530457aab3c1a8c9d.exe
"C:\Users\Admin\AppData\Local\Temp\6eb71b177afb2deed43aafd7218e9429151b9f8bc8520c5530457aab3c1a8c9d.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.8.0_66\include\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nFm4j3lsar.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4896
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:760
      - C:\Program Files (x86)\Windows Portable Devices\sihost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\sihost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.8.0_66\include\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\include\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.8.0_66\include\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\providercommon\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\lua\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\lua\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Portable Devices\sihost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
961d4ca9aa48c718cf6e5b37f2894bdb

SHA1
d1d58a8f329990f30b2e50a9da2d00db6bcda5e5

SHA256
7333e1f71b05a2df4537192c658cee6a0dfee4dded2358c2ecbbca9ff466e263

SHA512
4baf7bb7e4aaf9b74f4337fd8aa66de5b0c253f1e427e42888dc5b49984a01e95b9a92e12c72e9954ddbee16133dcaac752588719d4782cfce13a4e9b04c3341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
97d520de287e11796aedfe1954addc04

SHA1
340e9d64a7777589d615095bb2b2c069a241ca94

SHA256
abd2eb568ed59fa28f75c83898e4bb19468d0ad4ac4df2124d5708eb7bf29a1a

SHA512
4b7031dc7244fddfefa59d5cf999d891e304dbe1a3ebe52ac18ff398b544a39b789ec4fd3590deceb47356923093ecc54b754f3dabc2e03be850f62b6317d91f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
744a083eaaa0c81e521ef6e163e5c4fe

SHA1
bee12e302de1253fab4bec6c1958afee67abb770

SHA256
25341170d3f9dc7ca43d56ecd02c0df85f79217b7da126a7350ecdd9ca4e7f14

SHA512
dc2fe1bc5667a612b106be6fc67112d97c3eefbc25b0412f96528a08f38f08e92077aa6632714ea01b9d7fe46ae157ada641de0a3f4dffaf4442480b974f32a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
744a083eaaa0c81e521ef6e163e5c4fe

SHA1
bee12e302de1253fab4bec6c1958afee67abb770

SHA256
25341170d3f9dc7ca43d56ecd02c0df85f79217b7da126a7350ecdd9ca4e7f14

SHA512
dc2fe1bc5667a612b106be6fc67112d97c3eefbc25b0412f96528a08f38f08e92077aa6632714ea01b9d7fe46ae157ada641de0a3f4dffaf4442480b974f32a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ce50eaa4a4302e0993235846c6387e2

SHA1
87704acdfd9dceaaf6b77327a47f64e86857411a

SHA256
fa16521618b9d23d60b1254b665ec666b6e15c85564b188fb2c310393c312ed5

SHA512
fd6190425adefdb2ec6ad8fddb4280e70a35abdd2b7052bb44079dbdba722285814b4de53aa0d0f7cc735827847016aab9553b49e72f0f4de740076457a24a3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ce50eaa4a4302e0993235846c6387e2

SHA1
87704acdfd9dceaaf6b77327a47f64e86857411a

SHA256
fa16521618b9d23d60b1254b665ec666b6e15c85564b188fb2c310393c312ed5

SHA512
fd6190425adefdb2ec6ad8fddb4280e70a35abdd2b7052bb44079dbdba722285814b4de53aa0d0f7cc735827847016aab9553b49e72f0f4de740076457a24a3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c2635dbe4a8c6545c31e2c24237bd7ee

SHA1
a3c7e61a903d47caff6c6788c3bc13f1fd8ac579

SHA256
fc5efc1fe6acd7ee478cebba95ff4d6c496fad99641b822c287d6fbd2713828a

SHA512
5496346ea7abed56da5cdf6171140379ff14860a7b8e354d202381453f5559fca38f1b45444bf544a37243b4ee1f6ab130014e45ec907241694c364723d155e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c2635dbe4a8c6545c31e2c24237bd7ee

SHA1
a3c7e61a903d47caff6c6788c3bc13f1fd8ac579

SHA256
fc5efc1fe6acd7ee478cebba95ff4d6c496fad99641b822c287d6fbd2713828a

SHA512
5496346ea7abed56da5cdf6171140379ff14860a7b8e354d202381453f5559fca38f1b45444bf544a37243b4ee1f6ab130014e45ec907241694c364723d155e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
844e34b03be91bbcb301e47f61956720

SHA1
2364579a338b71d45af7f3597b86956feb7654dc

SHA256
132cac1d9a69a8f19637c62662e5557307aaf8debcdd1fb2428cc62b9702ebdf

SHA512
9ecb24129f77860320aeac7de72a69f3b6c6eb6d39c3ae63c4b2e019f84c80a2ba9f3f7bc4e38eb0eb1e79d5795a019c8e0502aba7eac24296e84fcff843f484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a81d353cbc70eb1b2b66d67f477bd38a

SHA1
ead1739c9f7bd7d61d486b8e4316586ba65d9c78

SHA256
16db16b1e3a130a329044a4415645c6c910bae5ee0f48943db208d1f65c2b96d

SHA512
9b740e6674954f5907593504932ad5d9154fab7c45c2dbecad9fd7d1a2959a05152ddd20e4125f0cfeac96f1da58b7ccab035cfccbe92ccc7fb444cdb48d5d41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a81d353cbc70eb1b2b66d67f477bd38a

SHA1
ead1739c9f7bd7d61d486b8e4316586ba65d9c78

SHA256
16db16b1e3a130a329044a4415645c6c910bae5ee0f48943db208d1f65c2b96d

SHA512
9b740e6674954f5907593504932ad5d9154fab7c45c2dbecad9fd7d1a2959a05152ddd20e4125f0cfeac96f1da58b7ccab035cfccbe92ccc7fb444cdb48d5d41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
03863673de326bcfb91f9f30fd8c8fe6

SHA1
129e1fb43096b92e1fc5a56d06023718e9e69bda

SHA256
ceaaf6ee3e88dc19ae7bee6b88df2fa46aff622a77f6efd6c3cb8b0bc583e522

SHA512
fac7526d855369bbf42d6be7d03552a9bbdc299cf47eda6f594d4a33ddad2a23edb6b91d5950ab438cdda1a00003e9314c3c76b0f22d1989b1cec32c020582d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
03863673de326bcfb91f9f30fd8c8fe6

SHA1
129e1fb43096b92e1fc5a56d06023718e9e69bda

SHA256
ceaaf6ee3e88dc19ae7bee6b88df2fa46aff622a77f6efd6c3cb8b0bc583e522

SHA512
fac7526d855369bbf42d6be7d03552a9bbdc299cf47eda6f594d4a33ddad2a23edb6b91d5950ab438cdda1a00003e9314c3c76b0f22d1989b1cec32c020582d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nFm4j3lsar.bat

Filesize
223B

MD5
f73c8893c855dfb182985c347c8d72a5

SHA1
4cd9ec95270d54d50c0c351194989cca950d3ff7

SHA256
b59ad27dc8f3f20084cea47a45ec68759b71bbba1336d999cb48a51253ca35e4

SHA512
accf4b14dfc99da705ff113600bc47b87f138d274be503ae06e06f1fb47286bf9cec6f9ae39491da12afc029c3cb0750db01bb2cbd5e2a8138a7bb33a52260ec

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/340-375-0x0000022E6E210000-0x0000022E6E232000-memory.dmp

Filesize
136KB

Download
memory/2764-282-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/2764-286-0x0000000001660000-0x000000000166C000-memory.dmp

Filesize
48KB

Download
memory/2764-285-0x000000001C2F0000-0x000000001C2FC000-memory.dmp

Filesize
48KB

Download
memory/2764-284-0x0000000001350000-0x000000000135C000-memory.dmp

Filesize
48KB

Download
memory/2764-283-0x0000000001340000-0x0000000001352000-memory.dmp

Filesize
72KB

Download
memory/3828-169-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-141-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-154-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-155-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-156-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-157-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-158-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-159-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-160-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-161-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-162-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-163-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-164-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-165-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-166-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-168-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-167-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-152-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-170-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-171-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-172-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-173-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-174-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-175-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-176-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-177-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-151-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-149-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-150-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-148-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-147-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-146-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-145-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-144-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-143-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-142-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-140-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-153-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-178-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-179-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-116-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-139-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-117-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-118-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-119-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-121-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-122-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-138-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-137-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-124-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-125-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-126-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-127-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-128-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-136-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-130-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-135-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-134-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-129-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-133-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-132-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-131-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3832-390-0x000001C4CFE10000-0x000001C4CFE86000-memory.dmp

Filesize
472KB

Download
memory/4252-182-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/4252-181-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download