dcrat | c17ee50458ad78fb43b23fd8001002cd35bb8effac19ec33091ddadefbc7dcac

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2023 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.6MB
MD5

373992db74a918562686a9e9144ecbbe
SHA1

953c7daaec55cdf106b371b555bc73f83a127b26
SHA256

c17ee50458ad78fb43b23fd8001002cd35bb8effac19ec33091ddadefbc7dcac
SHA512

ddf9af3d9b765708ce9e91f1ba7631f4111202016deae60f0da80026688fd465e9877fe55ec175be0296db153e300188a5aeadd5566b2e72fc8cf0e1bb8a80e4
SSDEEP

24576:U2G/nvxW3Ww0t1urfikuV13mFFkwIuKOaZDIpw6P/KlBrJ/GB+8xNEJnw:UbA30Wiku13qF1jtpwG/KR/YxNEJw

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2128	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	2128	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe	dcrat
C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe	dcrat
behavioral2/memory/388-145-0x0000000000190000-0x00000000002E4000-memory.dmp	dcrat
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\dwm.exe	dcrat
C:\Program Files\Google\Chrome\Application\SetupMetrics\WmiPrvSE.exe	dcrat
C:\Program Files\Google\Chrome\Application\SetupMetrics\WmiPrvSE.exe	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exeWScript.execomponentMonitorcommon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	componentMonitorcommon.exe

Executes dropped EXE 2 IoCs

Processes:

componentMonitorcommon.exeWmiPrvSE.exe

pid process

388 componentMonitorcommon.exe
2568 WmiPrvSE.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

50 ipinfo.io
51 ipinfo.io

flow	ioc
50	ipinfo.io
51	ipinfo.io

Drops file in Program Files directory 14 IoCs

Processes:

componentMonitorcommon.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office 15\ClientX64\6203df4a6bafc7	componentMonitorcommon.exe
File created	C:\Program Files\Windows Defender\de-DE\66fc9ff0ee96c2	componentMonitorcommon.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\6cb0b6c459d5d3	componentMonitorcommon.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RuntimeBroker.exe	componentMonitorcommon.exe
File created	C:\Program Files (x86)\Windows Mail\dllhost.exe	componentMonitorcommon.exe
File created	C:\Program Files\Windows Defender\de-DE\sihost.exe	componentMonitorcommon.exe
File created	C:\Program Files (x86)\Windows Mail\cc11b995f2a76d	componentMonitorcommon.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\dwm.exe	componentMonitorcommon.exe
File created	C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe	componentMonitorcommon.exe
File created	C:\Program Files (x86)\Common Files\Services\5b884080fd4f94	componentMonitorcommon.exe
File created	C:\Program Files (x86)\Windows Mail\winlogon.exe	componentMonitorcommon.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\9e8d7a4ca61bd9	componentMonitorcommon.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\lsass.exe	componentMonitorcommon.exe
File created	C:\Program Files (x86)\Windows Mail\5940a34987c991	componentMonitorcommon.exe

Drops file in Windows directory 4 IoCs

Processes:

componentMonitorcommon.exe

description	ioc	process
File created	C:\Windows\Resources\Ease of Access Themes\lsass.exe	componentMonitorcommon.exe
File created	C:\Windows\Resources\Ease of Access Themes\6203df4a6bafc7	componentMonitorcommon.exe
File created	C:\Windows\SchCache\explorer.exe	componentMonitorcommon.exe
File created	C:\Windows\SchCache\7a0fd90576e088	componentMonitorcommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
2268	schtasks.exe
3992	schtasks.exe
2664	schtasks.exe
1932	schtasks.exe
932	schtasks.exe
820	schtasks.exe
4304	schtasks.exe
3512	schtasks.exe
1456	schtasks.exe
1708	schtasks.exe
1608	schtasks.exe
3544	schtasks.exe
2300	schtasks.exe
4112	schtasks.exe
1576	schtasks.exe
2388	schtasks.exe
2572	schtasks.exe
4272	schtasks.exe
4744	schtasks.exe
1800	schtasks.exe
4232	schtasks.exe
3076	schtasks.exe
4188	schtasks.exe
4180	schtasks.exe
2568	schtasks.exe
2648	schtasks.exe
2180	schtasks.exe
3996	schtasks.exe
4396	schtasks.exe
4496	schtasks.exe
1560	schtasks.exe
4752	schtasks.exe
3828	schtasks.exe
4016	schtasks.exe
4684	schtasks.exe
5112	schtasks.exe
3940	schtasks.exe
4972	schtasks.exe
5024	schtasks.exe
2452	schtasks.exe
3132	schtasks.exe
1476	schtasks.exe
3388	schtasks.exe
3968	schtasks.exe
2584	schtasks.exe
2336	schtasks.exe
2108	schtasks.exe
1068	schtasks.exe
1348	schtasks.exe
2016	schtasks.exe
720	schtasks.exe

Modifies registry class 1 IoCs

Processes:

tmp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings tmp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	tmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

componentMonitorcommon.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWmiPrvSE.exe

pid	process
388	componentMonitorcommon.exe
388	componentMonitorcommon.exe
388	componentMonitorcommon.exe
388	componentMonitorcommon.exe
388	componentMonitorcommon.exe
388	componentMonitorcommon.exe
388	componentMonitorcommon.exe
4664	powershell.exe
4664	powershell.exe
4932	powershell.exe
4932	powershell.exe
1352	powershell.exe
1352	powershell.exe
3896	powershell.exe
3896	powershell.exe
2332	powershell.exe
2332	powershell.exe
4484	powershell.exe
4484	powershell.exe
4252	powershell.exe
4252	powershell.exe
2820	powershell.exe
2820	powershell.exe
4720	powershell.exe
4720	powershell.exe
3856	powershell.exe
3856	powershell.exe
4764	powershell.exe
4764	powershell.exe
4172	powershell.exe
4172	powershell.exe
4796	powershell.exe
4796	powershell.exe
5084	powershell.exe
5084	powershell.exe
3004	powershell.exe
3004	powershell.exe
5080	powershell.exe
5080	powershell.exe
4288	powershell.exe
4288	powershell.exe
1260	powershell.exe
1260	powershell.exe
1260	powershell.exe
4720	powershell.exe
4764	powershell.exe
2568	WmiPrvSE.exe
2568	WmiPrvSE.exe
4664	powershell.exe
4664	powershell.exe
1352	powershell.exe
1352	powershell.exe
2332	powershell.exe
4932	powershell.exe
4932	powershell.exe
4288	powershell.exe
2820	powershell.exe
4484	powershell.exe
4252	powershell.exe
3896	powershell.exe
3896	powershell.exe
3004	powershell.exe
4172	powershell.exe
3856	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WmiPrvSE.exe

pid process

2568 WmiPrvSE.exe

pid	process
2568	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	388	componentMonitorcommon.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	2568	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

tmp.exeWScript.execmd.execomponentMonitorcommon.exe

description	pid	process	target process
PID 2900 wrote to memory of 4640	2900	tmp.exe	WScript.exe
PID 2900 wrote to memory of 4640	2900	tmp.exe	WScript.exe
PID 2900 wrote to memory of 4640	2900	tmp.exe	WScript.exe
PID 4640 wrote to memory of 3492	4640	WScript.exe	cmd.exe
PID 4640 wrote to memory of 3492	4640	WScript.exe	cmd.exe
PID 4640 wrote to memory of 3492	4640	WScript.exe	cmd.exe
PID 3492 wrote to memory of 388	3492	cmd.exe	componentMonitorcommon.exe
PID 3492 wrote to memory of 388	3492	cmd.exe	componentMonitorcommon.exe
PID 388 wrote to memory of 4664	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 4664	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 4172	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 4172	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 2820	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 2820	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 4484	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 4484	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 3856	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 3856	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 3896	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 3896	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 4252	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 4252	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 1260	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 1260	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 4288	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 4288	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 2332	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 2332	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 4932	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 4932	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 4764	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 4764	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 4796	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 4796	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 3004	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 3004	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 5080	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 5080	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 5084	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 5084	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 4720	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 4720	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 1352	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 1352	388	componentMonitorcommon.exe	powershell.exe
PID 388 wrote to memory of 2568	388	componentMonitorcommon.exe	WmiPrvSE.exe
PID 388 wrote to memory of 2568	388	componentMonitorcommon.exe	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\vQ3VIYUYL2xofTcP0gCIzAw.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\mQTPECbUX38DuLpdMmoUBOwQ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3492

C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe
"C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\dwm.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Program Files\Google\Chrome\Application\SetupMetrics\WmiPrvSE.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\WmiPrvSE.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sppsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\explorer.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\winlogon.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\de-DE\sihost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\WmiPrvSE.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\lsass.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Ease of Access Themes\lsass.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Resources\Ease of Access Themes\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Ease of Access Themes\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\de-DE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\de-DE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SchCache\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\SetupMetrics\WmiPrvSE.exe
Filesize
1.3MB

MD5
231efb7ab5b36cda91e06456480228c1

SHA1
11edb782a254ead91bef459fb4dac0ca393ffeaf

SHA256
5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

SHA512
c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\WmiPrvSE.exe
Filesize
1.3MB

MD5
231efb7ab5b36cda91e06456480228c1

SHA1
11edb782a254ead91bef459fb4dac0ca393ffeaf

SHA256
5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

SHA512
c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

Download Submit
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\dwm.exe
Filesize
1.3MB

MD5
231efb7ab5b36cda91e06456480228c1

SHA1
11edb782a254ead91bef459fb4dac0ca393ffeaf

SHA256
5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

SHA512
c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
588e5b3406537204588ef39f4c84259f

SHA1
c6056b8139c0796cc6272b7b71fca2085f62b785

SHA256
3b7e7c56deb0f16483d67e60a42a5f0a58ee557790fe0f312d036e4ecc31f7f0

SHA512
f85ea8f8f0c3ea56840a84f42a188f125c13cea8b23f86ddcce8eb28758e816dd6d871154dfe63d250ef369b153f72c587a7a8bccd0a2728b7bc922dd7436e96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
377c375f814a335a131901ed5d5eca44

SHA1
9919811b18b4f8153541b332232ae88eec42f9f7

SHA256
7a73ac126468f3a94954656a0da1b494b18b6f7fc4ee09beb87573e82f300a10

SHA512
c511dff1a34a5e32cf0ce2c56aa3adf71bd51e9a5afc7ae75320ac7563ebb4571f6ac5cd771fa52e9c7966112431bbdd20e4b74e1a125c273bc835f127b599b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
243347db405974f6277b941306d57ddb

SHA1
48a7563230d78ecfe8aaa7b749bf985c6078b4e4

SHA256
876100d0ce1aff677a0cab677787ca9858a989f4e5c13b05c8931f709232b835

SHA512
1c45eae761fb4224943debe2f2d553793146bb6d4bf2535de2bded3f9c78665607bc1fce7d4ecf905569488e42e42d0bf4b6d20dfcf8cda77a354b8faf17a951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
588e5b3406537204588ef39f4c84259f

SHA1
c6056b8139c0796cc6272b7b71fca2085f62b785

SHA256
3b7e7c56deb0f16483d67e60a42a5f0a58ee557790fe0f312d036e4ecc31f7f0

SHA512
f85ea8f8f0c3ea56840a84f42a188f125c13cea8b23f86ddcce8eb28758e816dd6d871154dfe63d250ef369b153f72c587a7a8bccd0a2728b7bc922dd7436e96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
377c375f814a335a131901ed5d5eca44

SHA1
9919811b18b4f8153541b332232ae88eec42f9f7

SHA256
7a73ac126468f3a94954656a0da1b494b18b6f7fc4ee09beb87573e82f300a10

SHA512
c511dff1a34a5e32cf0ce2c56aa3adf71bd51e9a5afc7ae75320ac7563ebb4571f6ac5cd771fa52e9c7966112431bbdd20e4b74e1a125c273bc835f127b599b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
588e5b3406537204588ef39f4c84259f

SHA1
c6056b8139c0796cc6272b7b71fca2085f62b785

SHA256
3b7e7c56deb0f16483d67e60a42a5f0a58ee557790fe0f312d036e4ecc31f7f0

SHA512
f85ea8f8f0c3ea56840a84f42a188f125c13cea8b23f86ddcce8eb28758e816dd6d871154dfe63d250ef369b153f72c587a7a8bccd0a2728b7bc922dd7436e96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
588e5b3406537204588ef39f4c84259f

SHA1
c6056b8139c0796cc6272b7b71fca2085f62b785

SHA256
3b7e7c56deb0f16483d67e60a42a5f0a58ee557790fe0f312d036e4ecc31f7f0

SHA512
f85ea8f8f0c3ea56840a84f42a188f125c13cea8b23f86ddcce8eb28758e816dd6d871154dfe63d250ef369b153f72c587a7a8bccd0a2728b7bc922dd7436e96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
588e5b3406537204588ef39f4c84259f

SHA1
c6056b8139c0796cc6272b7b71fca2085f62b785

SHA256
3b7e7c56deb0f16483d67e60a42a5f0a58ee557790fe0f312d036e4ecc31f7f0

SHA512
f85ea8f8f0c3ea56840a84f42a188f125c13cea8b23f86ddcce8eb28758e816dd6d871154dfe63d250ef369b153f72c587a7a8bccd0a2728b7bc922dd7436e96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
377c375f814a335a131901ed5d5eca44

SHA1
9919811b18b4f8153541b332232ae88eec42f9f7

SHA256
7a73ac126468f3a94954656a0da1b494b18b6f7fc4ee09beb87573e82f300a10

SHA512
c511dff1a34a5e32cf0ce2c56aa3adf71bd51e9a5afc7ae75320ac7563ebb4571f6ac5cd771fa52e9c7966112431bbdd20e4b74e1a125c273bc835f127b599b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_igisvwi2.1of.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe
Filesize
1.3MB

MD5
231efb7ab5b36cda91e06456480228c1

SHA1
11edb782a254ead91bef459fb4dac0ca393ffeaf

SHA256
5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

SHA512
c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

Download Submit
C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\componentMonitorcommon.exe
Filesize
1.3MB

MD5
231efb7ab5b36cda91e06456480228c1

SHA1
11edb782a254ead91bef459fb4dac0ca393ffeaf

SHA256
5d876dee883aabe22c89e9332d18d41580e7dc5c5030be843538b5a11c053a1d

SHA512
c51446bf048412031b5ea5c09b55b8c1ba8d3319eaf84cda647c0048f919a9f408220200ae1d405acd54557af9626a91e03789573a556ccafea9b7bfbcec2017

Download Submit
C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\mQTPECbUX38DuLpdMmoUBOwQ.bat
Filesize
55B

MD5
4eca9a6bf6c52d04c26fa14ea74bf227

SHA1
ca0fea58051517e6295da2da5e3f249ad4ff3504

SHA256
96ca7d8a38fd1f411bf623f952bbd4b8e93243167c2158917eba0d68f00e85cc

SHA512
3d818f8e1ea332deb3a0aaff2284deb6380639a56dc30a7e675cfe76c253f0c626783e5b7652cd6dbad541022ccb6058376ec5d7f12d0674a4478cfefef9df18

Download Submit
C:\Users\Admin\AppData\Roaming\blockRuntimedhcp\vQ3VIYUYL2xofTcP0gCIzAw.vbe
Filesize
224B

MD5
7b5df8b8d4d8d1b95b3313ffaf3c420b

SHA1
70c9cb3ea22d5349044e03f7e6fa4d98e6bc208d

SHA256
1c307726e10a7546162838a9981c0d0565306998ed731ee73a047d664d72a3ea

SHA512
ddc870977887cd25ca709ff3b3be1311d7478e5c361936d3ff3dd845aa04633fcc081a27bc088e20001f1105862c88972d9325a3b40126157906400ccda65270

Download Submit
memory/388-145-0x0000000000190000-0x00000000002E4000-memory.dmp

Filesize
1.3MB

Download
memory/388-146-0x0000000002410000-0x0000000002460000-memory.dmp

Filesize
320KB

Download
memory/388-147-0x000000001B040000-0x000000001B050000-memory.dmp

Filesize
64KB

Download
memory/1260-217-0x00000225E4BE0000-0x00000225E4BF0000-memory.dmp

Filesize
64KB

Download
memory/1260-206-0x00000225E4BE0000-0x00000225E4BF0000-memory.dmp

Filesize
64KB

Download
memory/1352-196-0x00000239DB4B0000-0x00000239DB4C0000-memory.dmp

Filesize
64KB

Download
memory/1352-386-0x00000239DB4B0000-0x00000239DB4C0000-memory.dmp

Filesize
64KB

Download
memory/1352-377-0x00000239DB4B0000-0x00000239DB4C0000-memory.dmp

Filesize
64KB

Download
memory/2332-393-0x0000017710DF0000-0x0000017710E00000-memory.dmp

Filesize
64KB

Download
memory/2332-379-0x0000017710DF0000-0x0000017710E00000-memory.dmp

Filesize
64KB

Download
memory/2568-383-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/2568-434-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/2568-433-0x000000001D190000-0x000000001D6B8000-memory.dmp

Filesize
5.2MB

Download
memory/2568-432-0x000000001C690000-0x000000001C852000-memory.dmp

Filesize
1.8MB

Download
memory/2568-431-0x000000001BD00000-0x000000001BD30000-memory.dmp

Filesize
192KB

Download
memory/2820-202-0x000001E11A480000-0x000001E11A490000-memory.dmp

Filesize
64KB

Download
memory/3004-243-0x0000023C1C050000-0x0000023C1C060000-memory.dmp

Filesize
64KB

Download
memory/3856-203-0x000001FB1A5E0000-0x000001FB1A5F0000-memory.dmp

Filesize
64KB

Download
memory/3856-395-0x000001FB1A5E0000-0x000001FB1A5F0000-memory.dmp

Filesize
64KB

Download
memory/3896-390-0x00000182FFEA0000-0x00000182FFEB0000-memory.dmp

Filesize
64KB

Download
memory/3896-197-0x00000182FFEA0000-0x00000182FFEB0000-memory.dmp

Filesize
64KB

Download
memory/3896-378-0x00000182FFEA0000-0x00000182FFEB0000-memory.dmp

Filesize
64KB

Download
memory/4172-391-0x000002C189FF0000-0x000002C18A000000-memory.dmp

Filesize
64KB

Download
memory/4172-264-0x000002C189FF0000-0x000002C18A000000-memory.dmp

Filesize
64KB

Download
memory/4172-394-0x000002C189FF0000-0x000002C18A000000-memory.dmp

Filesize
64KB

Download
memory/4172-290-0x000002C189FF0000-0x000002C18A000000-memory.dmp

Filesize
64KB

Download
memory/4252-389-0x0000025FDA710000-0x0000025FDA720000-memory.dmp

Filesize
64KB

Download
memory/4252-396-0x0000025FDA710000-0x0000025FDA720000-memory.dmp

Filesize
64KB

Download
memory/4288-212-0x0000022A6AA30000-0x0000022A6AA52000-memory.dmp

Filesize
136KB

Download
memory/4288-199-0x0000022A6A170000-0x0000022A6A180000-memory.dmp

Filesize
64KB

Download
memory/4288-387-0x0000022A6A170000-0x0000022A6A180000-memory.dmp

Filesize
64KB

Download
memory/4288-198-0x0000022A6A170000-0x0000022A6A180000-memory.dmp

Filesize
64KB

Download
memory/4484-388-0x00000242ED8F0000-0x00000242ED900000-memory.dmp

Filesize
64KB

Download
memory/4484-200-0x00000242ED8F0000-0x00000242ED900000-memory.dmp

Filesize
64KB

Download
memory/4484-201-0x00000242ED8F0000-0x00000242ED900000-memory.dmp

Filesize
64KB

Download
memory/4664-184-0x00000274FCA30000-0x00000274FCA40000-memory.dmp

Filesize
64KB

Download
memory/4664-190-0x00000274FCA30000-0x00000274FCA40000-memory.dmp

Filesize
64KB

Download
memory/4720-384-0x00000255A3E90000-0x00000255A3EA0000-memory.dmp

Filesize
64KB

Download
memory/4764-204-0x00000180571D0000-0x00000180571E0000-memory.dmp

Filesize
64KB

Download
memory/4764-205-0x00000180571D0000-0x00000180571E0000-memory.dmp

Filesize
64KB

Download
memory/4764-385-0x00000180571D0000-0x00000180571E0000-memory.dmp

Filesize
64KB

Download
memory/4796-382-0x0000020EA2CB0000-0x0000020EA2CC0000-memory.dmp

Filesize
64KB

Download
memory/4796-376-0x0000020EA2CB0000-0x0000020EA2CC0000-memory.dmp

Filesize
64KB

Download
memory/4932-192-0x000001E49D3F0000-0x000001E49D400000-memory.dmp

Filesize
64KB

Download
memory/5080-397-0x000001A774680000-0x000001A774690000-memory.dmp

Filesize
64KB

Download
memory/5080-231-0x000001A774680000-0x000001A774690000-memory.dmp

Filesize
64KB

Download
memory/5080-242-0x000001A774680000-0x000001A774690000-memory.dmp

Filesize
64KB

Download
memory/5084-392-0x0000025F98660000-0x0000025F98670000-memory.dmp

Filesize
64KB

Download