dcrat | 47f9f128195e6cefd2adaa011a09ba9beac10e9129a390dfbf88ce158248b1c0

Analysis

max time kernel
148s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
31/10/2022, 18:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

47f9f128195e6cefd2adaa011a09ba9beac10e9129a390dfbf88ce158248b1c0.exe
Size

1.3MB
MD5

e7776498c593315246451f8d43852683
SHA1

49f5c1376d4ebdd0b744b8b09ec4d21ab270cad3
SHA256

47f9f128195e6cefd2adaa011a09ba9beac10e9129a390dfbf88ce158248b1c0
SHA512

6ebd921dfa38f3280d7a5335033de030b6054746ac8e7625ae4211593834c574ccae2a919b2b753312ed1bd83430e2f480047009a523c37f7bc3bf4d654715e8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	188	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	204	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5344	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5416	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5460	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5504	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5536	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5576	2420	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5652	2420	schtasks.exe	70

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001ac38-281.dat	dcrat
behavioral1/files/0x000600000001ac38-282.dat	dcrat
behavioral1/memory/3836-283-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac38-392.dat	dcrat
behavioral1/files/0x000600000001ac38-474.dat	dcrat
behavioral1/files/0x000600000001ac85-1003.dat	dcrat
behavioral1/files/0x000600000001ac54-1012.dat	dcrat
behavioral1/files/0x000600000001ac8d-1391.dat	dcrat
behavioral1/files/0x000600000001ac8d-1393.dat	dcrat
behavioral1/files/0x000600000001ac8d-1612.dat	dcrat
behavioral1/files/0x000600000001ac8d-1619.dat	dcrat
behavioral1/files/0x000600000001ac8d-1625.dat	dcrat
behavioral1/files/0x000600000001ac8d-1630.dat	dcrat

Executes dropped EXE 8 IoCs

pid	Process
3836	DllCommonsvc.exe
2668	DllCommonsvc.exe
1172	DllCommonsvc.exe
5136	dllhost.exe
4860	dllhost.exe
5532	dllhost.exe
4704	dllhost.exe
4240	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\e978f868350d50	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\3a6fe29a7ceee6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\powershell.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\schtasks.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\e978f868350d50	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\INF\MSDTC\0409\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\powershell.exe	DllCommonsvc.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\e978f868350d50	DllCommonsvc.exe
File created	C:\Windows\Tasks\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\ShellExperiences\schtasks.exe	DllCommonsvc.exe
File created	C:\Windows\ShellExperiences\3a6fe29a7ceee6	DllCommonsvc.exe
File created	C:\Windows\INF\MSDTC\0409\System.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5576	schtasks.exe
5700	schtasks.exe
4352	schtasks.exe
5344	schtasks.exe
4596	schtasks.exe
5844	schtasks.exe
5424	schtasks.exe
4228	schtasks.exe
3300	schtasks.exe
4536	schtasks.exe
1356	schtasks.exe
3140	schtasks.exe
5996	schtasks.exe
204	schtasks.exe
5636	schtasks.exe
5004	schtasks.exe
3820	schtasks.exe
4620	schtasks.exe
4804	schtasks.exe
5708	schtasks.exe
5772	schtasks.exe
660	schtasks.exe
5980	schtasks.exe
4232	schtasks.exe
3780	schtasks.exe
5736	schtasks.exe
4520	schtasks.exe
3232	schtasks.exe
660	schtasks.exe
5940	schtasks.exe
5608	schtasks.exe
4656	schtasks.exe
1404	schtasks.exe
4976	schtasks.exe
5812	schtasks.exe
4128	schtasks.exe
5220	schtasks.exe
4092	schtasks.exe
4928	schtasks.exe
4980	schtasks.exe
5416	schtasks.exe
5504	schtasks.exe
5844	schtasks.exe
2496	schtasks.exe
4956	schtasks.exe
524	schtasks.exe
5460	schtasks.exe
5868	schtasks.exe
2012	schtasks.exe
2220	schtasks.exe
2460	schtasks.exe
188	schtasks.exe
5652	schtasks.exe
5748	schtasks.exe
4360	schtasks.exe
992	schtasks.exe
2204	schtasks.exe
3044	schtasks.exe
2216	schtasks.exe
5536	schtasks.exe
4428	schtasks.exe
3928	schtasks.exe
4248	schtasks.exe
4888	schtasks.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	47f9f128195e6cefd2adaa011a09ba9beac10e9129a390dfbf88ce158248b1c0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3836	DllCommonsvc.exe
3836	DllCommonsvc.exe
3836	DllCommonsvc.exe
3940	powershell.exe
3984	powershell.exe
3940	powershell.exe
2244	powershell.exe
3984	powershell.exe
2244	powershell.exe
3984	powershell.exe
3940	powershell.exe
2244	powershell.exe
2668	DllCommonsvc.exe
2668	DllCommonsvc.exe
2668	DllCommonsvc.exe
2668	DllCommonsvc.exe
2668	DllCommonsvc.exe
2668	DllCommonsvc.exe
2668	DllCommonsvc.exe
2668	DllCommonsvc.exe
2668	DllCommonsvc.exe
2668	DllCommonsvc.exe
2668	DllCommonsvc.exe
2668	DllCommonsvc.exe
2668	DllCommonsvc.exe
4504	powershell.exe
4504	powershell.exe
996	powershell.exe
996	powershell.exe
3960	powershell.exe
3960	powershell.exe
2212	powershell.exe
2212	powershell.exe
764	powershell.exe
764	powershell.exe
2280	powershell.exe
2280	powershell.exe
4408	powershell.exe
4408	powershell.exe
4856	powershell.exe
4856	powershell.exe
1196	powershell.exe
1196	powershell.exe
2912	powershell.exe
2912	powershell.exe
600	powershell.exe
600	powershell.exe
1012	powershell.exe
1012	powershell.exe
2064	powershell.exe
2064	powershell.exe
4732	powershell.exe
4732	powershell.exe
1016	powershell.exe
1016	powershell.exe
2944	powershell.exe
2944	powershell.exe
956	powershell.exe
956	powershell.exe
4856	powershell.exe
1012	powershell.exe
4928	powershell.exe
4928	powershell.exe
4504	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3836	DllCommonsvc.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeIncreaseQuotaPrivilege	3984	powershell.exe
Token: SeSecurityPrivilege	3984	powershell.exe
Token: SeTakeOwnershipPrivilege	3984	powershell.exe
Token: SeLoadDriverPrivilege	3984	powershell.exe
Token: SeSystemProfilePrivilege	3984	powershell.exe
Token: SeSystemtimePrivilege	3984	powershell.exe
Token: SeProfSingleProcessPrivilege	3984	powershell.exe
Token: SeIncBasePriorityPrivilege	3984	powershell.exe
Token: SeCreatePagefilePrivilege	3984	powershell.exe
Token: SeBackupPrivilege	3984	powershell.exe
Token: SeRestorePrivilege	3984	powershell.exe
Token: SeShutdownPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeSystemEnvironmentPrivilege	3984	powershell.exe
Token: SeRemoteShutdownPrivilege	3984	powershell.exe
Token: SeUndockPrivilege	3984	powershell.exe
Token: SeManageVolumePrivilege	3984	powershell.exe
Token: 33	3984	powershell.exe
Token: 34	3984	powershell.exe
Token: 35	3984	powershell.exe
Token: 36	3984	powershell.exe
Token: SeIncreaseQuotaPrivilege	3940	powershell.exe
Token: SeSecurityPrivilege	3940	powershell.exe
Token: SeTakeOwnershipPrivilege	3940	powershell.exe
Token: SeLoadDriverPrivilege	3940	powershell.exe
Token: SeSystemProfilePrivilege	3940	powershell.exe
Token: SeSystemtimePrivilege	3940	powershell.exe
Token: SeProfSingleProcessPrivilege	3940	powershell.exe
Token: SeIncBasePriorityPrivilege	3940	powershell.exe
Token: SeCreatePagefilePrivilege	3940	powershell.exe
Token: SeBackupPrivilege	3940	powershell.exe
Token: SeRestorePrivilege	3940	powershell.exe
Token: SeShutdownPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeSystemEnvironmentPrivilege	3940	powershell.exe
Token: SeRemoteShutdownPrivilege	3940	powershell.exe
Token: SeUndockPrivilege	3940	powershell.exe
Token: SeManageVolumePrivilege	3940	powershell.exe
Token: 33	3940	powershell.exe
Token: 34	3940	powershell.exe
Token: 35	3940	powershell.exe
Token: 36	3940	powershell.exe
Token: SeIncreaseQuotaPrivilege	2244	powershell.exe
Token: SeSecurityPrivilege	2244	powershell.exe
Token: SeTakeOwnershipPrivilege	2244	powershell.exe
Token: SeLoadDriverPrivilege	2244	powershell.exe
Token: SeSystemProfilePrivilege	2244	powershell.exe
Token: SeSystemtimePrivilege	2244	powershell.exe
Token: SeProfSingleProcessPrivilege	2244	powershell.exe
Token: SeIncBasePriorityPrivilege	2244	powershell.exe
Token: SeCreatePagefilePrivilege	2244	powershell.exe
Token: SeBackupPrivilege	2244	powershell.exe
Token: SeRestorePrivilege	2244	powershell.exe
Token: SeShutdownPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeSystemEnvironmentPrivilege	2244	powershell.exe
Token: SeRemoteShutdownPrivilege	2244	powershell.exe
Token: SeUndockPrivilege	2244	powershell.exe
Token: SeManageVolumePrivilege	2244	powershell.exe
Token: 33	2244	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2020	2496	47f9f128195e6cefd2adaa011a09ba9beac10e9129a390dfbf88ce158248b1c0.exe	66
PID 2496 wrote to memory of 2020	2496	47f9f128195e6cefd2adaa011a09ba9beac10e9129a390dfbf88ce158248b1c0.exe	66
PID 2496 wrote to memory of 2020	2496	47f9f128195e6cefd2adaa011a09ba9beac10e9129a390dfbf88ce158248b1c0.exe	66
PID 2020 wrote to memory of 4532	2020	WScript.exe	67
PID 2020 wrote to memory of 4532	2020	WScript.exe	67
PID 2020 wrote to memory of 4532	2020	WScript.exe	67
PID 4532 wrote to memory of 3836	4532	cmd.exe	69
PID 4532 wrote to memory of 3836	4532	cmd.exe	69
PID 3836 wrote to memory of 3940	3836	DllCommonsvc.exe	77
PID 3836 wrote to memory of 3940	3836	DllCommonsvc.exe	77
PID 3836 wrote to memory of 3984	3836	DllCommonsvc.exe	79
PID 3836 wrote to memory of 3984	3836	DllCommonsvc.exe	79
PID 3836 wrote to memory of 2244	3836	DllCommonsvc.exe	80
PID 3836 wrote to memory of 2244	3836	DllCommonsvc.exe	80
PID 3836 wrote to memory of 824	3836	DllCommonsvc.exe	83
PID 3836 wrote to memory of 824	3836	DllCommonsvc.exe	83
PID 824 wrote to memory of 4952	824	cmd.exe	85
PID 824 wrote to memory of 4952	824	cmd.exe	85
PID 824 wrote to memory of 2668	824	cmd.exe	86
PID 824 wrote to memory of 2668	824	cmd.exe	86
PID 2668 wrote to memory of 996	2668	DllCommonsvc.exe	139
PID 2668 wrote to memory of 996	2668	DllCommonsvc.exe	139
PID 2668 wrote to memory of 4504	2668	DllCommonsvc.exe	141
PID 2668 wrote to memory of 4504	2668	DllCommonsvc.exe	141
PID 2668 wrote to memory of 3960	2668	DllCommonsvc.exe	143
PID 2668 wrote to memory of 3960	2668	DllCommonsvc.exe	143
PID 2668 wrote to memory of 764	2668	DllCommonsvc.exe	145
PID 2668 wrote to memory of 764	2668	DllCommonsvc.exe	145
PID 2668 wrote to memory of 2280	2668	DllCommonsvc.exe	146
PID 2668 wrote to memory of 2280	2668	DllCommonsvc.exe	146
PID 2668 wrote to memory of 2212	2668	DllCommonsvc.exe	147
PID 2668 wrote to memory of 2212	2668	DllCommonsvc.exe	147
PID 2668 wrote to memory of 4408	2668	DllCommonsvc.exe	149
PID 2668 wrote to memory of 4408	2668	DllCommonsvc.exe	149
PID 2668 wrote to memory of 4856	2668	DllCommonsvc.exe	150
PID 2668 wrote to memory of 4856	2668	DllCommonsvc.exe	150
PID 2668 wrote to memory of 1196	2668	DllCommonsvc.exe	151
PID 2668 wrote to memory of 1196	2668	DllCommonsvc.exe	151
PID 2668 wrote to memory of 2912	2668	DllCommonsvc.exe	161
PID 2668 wrote to memory of 2912	2668	DllCommonsvc.exe	161
PID 2668 wrote to memory of 2064	2668	DllCommonsvc.exe	153
PID 2668 wrote to memory of 2064	2668	DllCommonsvc.exe	153
PID 2668 wrote to memory of 600	2668	DllCommonsvc.exe	154
PID 2668 wrote to memory of 600	2668	DllCommonsvc.exe	154
PID 2668 wrote to memory of 1012	2668	DllCommonsvc.exe	155
PID 2668 wrote to memory of 1012	2668	DllCommonsvc.exe	155
PID 2668 wrote to memory of 4732	2668	DllCommonsvc.exe	156
PID 2668 wrote to memory of 4732	2668	DllCommonsvc.exe	156
PID 2668 wrote to memory of 1016	2668	DllCommonsvc.exe	169
PID 2668 wrote to memory of 1016	2668	DllCommonsvc.exe	169
PID 2668 wrote to memory of 956	2668	DllCommonsvc.exe	166
PID 2668 wrote to memory of 956	2668	DllCommonsvc.exe	166
PID 2668 wrote to memory of 2944	2668	DllCommonsvc.exe	170
PID 2668 wrote to memory of 2944	2668	DllCommonsvc.exe	170
PID 2668 wrote to memory of 4928	2668	DllCommonsvc.exe	171
PID 2668 wrote to memory of 4928	2668	DllCommonsvc.exe	171
PID 2668 wrote to memory of 1172	2668	DllCommonsvc.exe	175
PID 2668 wrote to memory of 1172	2668	DllCommonsvc.exe	175
PID 1172 wrote to memory of 5208	1172	DllCommonsvc.exe	221
PID 1172 wrote to memory of 5208	1172	DllCommonsvc.exe	221
PID 1172 wrote to memory of 4456	1172	DllCommonsvc.exe	230
PID 1172 wrote to memory of 4456	1172	DllCommonsvc.exe	230
PID 1172 wrote to memory of 5540	1172	DllCommonsvc.exe	222
PID 1172 wrote to memory of 5540	1172	DllCommonsvc.exe	222

C:\Users\Admin\AppData\Local\Temp\47f9f128195e6cefd2adaa011a09ba9beac10e9129a390dfbf88ce158248b1c0.exe
"C:\Users\Admin\AppData\Local\Temp\47f9f128195e6cefd2adaa011a09ba9beac10e9129a390dfbf88ce158248b1c0.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VSKioGbcuq.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:824
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4952
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\DllCommonsvc.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\en-US\powershell.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\powershell.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\MSDTC\0409\System.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\lsass.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\WmiPrvSE.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\taskhostw.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\powershell.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\conhost.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sihost.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\powershell.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\dllhost.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4928
        
        C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        8⤵
        
        PID:5208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\schtasks.exe'
        8⤵
        
        PID:5540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\powershell.exe'
        8⤵
        
        PID:6048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\winlogon.exe'
        8⤵
        
        PID:5516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\dllhost.exe'
        8⤵
        
        PID:6116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\dllhost.exe'
        8⤵
        
        PID:4456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\conhost.exe'
        8⤵
        
        PID:5948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
        8⤵
        
        PID:5528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\DllCommonsvc.exe'
        8⤵
        
        PID:5224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\schtasks.exe'
        8⤵
        
        PID:5400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        8⤵
        
        PID:4428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\powershell.exe'
        8⤵
        
        PID:4652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\conhost.exe'
        8⤵
        
        PID:5420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\schtasks.exe'
        8⤵
        
        PID:4820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\en-US\powershell.exe'
        8⤵
        
        PID:3940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\powershell.exe'
        8⤵
        
        PID:6120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFqaxwHYeo.bat"
        8⤵
        
        PID:3164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:432
        
        C:\Program Files\Windows Multimedia Platform\dllhost.exe
        
        "C:\Program Files\Windows Multimedia Platform\dllhost.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat"
        10⤵
        
        PID:3844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4864
        
        C:\Program Files\Windows Multimedia Platform\dllhost.exe
        
        "C:\Program Files\Windows Multimedia Platform\dllhost.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"
        12⤵
        
        PID:4668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1020
        
        C:\Program Files\Windows Multimedia Platform\dllhost.exe
        
        "C:\Program Files\Windows Multimedia Platform\dllhost.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat"
        14⤵
        
        PID:5500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4768
        
        C:\Program Files\Windows Multimedia Platform\dllhost.exe
        
        "C:\Program Files\Windows Multimedia Platform\dllhost.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"
        16⤵
        
        PID:5656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4332
        
        C:\Program Files\Windows Multimedia Platform\dllhost.exe
        
        "C:\Program Files\Windows Multimedia Platform\dllhost.exe"
        17⤵
        Executes dropped EXE
        
        PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Recent\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Recent\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\odt\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\en-US\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\providercommon\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\INF\MSDTC\0409\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\INF\MSDTC\0409\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\INF\MSDTC\0409\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\7-Zip\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\winlogon.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:5964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\conhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Music\conhost.exe'" /rl HIGHEST /f
1⤵
PID:6004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\conhost.exe'" /rl HIGHEST /f
1⤵
PID:5488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
PID:5332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /f
1⤵
- Creates scheduled task(s)
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\schtasks.exe'" /f
1⤵
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\schtasks.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\schtasks.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\powershell.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
PID:5860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellExperiences\schtasks.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\schtasks.exe'" /rl HIGHEST /f
1⤵
PID:5788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellExperiences\schtasks.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\en-US\powershell.exe'" /f
1⤵
PID:5800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
PID:5840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
PID:5892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\powershell.exe'" /f
1⤵
PID:5864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\powershell.exe'" /rl HIGHEST /f
1⤵
PID:5776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\powershell.exe'" /rl HIGHEST /f
1⤵
PID:5164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\en-US\e978f868350d50

Filesize
731B

MD5
4c9cd05600e209cb7eaea451695a5746

SHA1
91696f3d59d5bf3023f8b75c90da32a4345de008

SHA256
2e6ef6491ed417bd4a42919606eb3552785d59b92a73dee76eae535ee94ee81d

SHA512
01c93557f0527d3f7e12ba4692aa13880b8ba6893cb060d2143fed7a21295002051ec884c718865cee9afd4ee89d18abb614bc15bd55a5a5f15698dd8d0b0cd3

Download Submit
C:\Program Files (x86)\Windows Defender\en-US\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
b4268d8ae66fdd920476b97a1776bf85

SHA1
f920de54f7467f0970eccc053d3c6c8dd181d49a

SHA256
61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879

SHA512
03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dee9fcaf8bb2f4410856afb937784815

SHA1
09e7a105e63397a11004fbbfedb599b38789c9c6

SHA256
38c842804c1c76c1a99bd5629392cfa656b7336acd3cc7bde759c0db4f3d54fa

SHA512
b7dcc1d00eb048a1742a9066c291cd57ca5f2918862ed6b4f5a29d91dc782fff6b72b60e10844c3c605876733adb869c989f2b3d991dc274a1fbfc64c6cd2e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3ba0b40b473e6b711f5c1023a9257e7f

SHA1
44207d765cd0334231c0bd8e157f025de4a24bb3

SHA256
5c73f572fbb8130f6a904c1fe0843483e3395348f3767a2b475ddd9a93accd4e

SHA512
44bcacb4829e6ce7c6e82f065748163319282ef370a5aef89796a770a5199a628059c74e50023f6e6221df35805c2f401c20e09d7f9a87509bce37012ef29470

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
910c93d17c130a14709dbedebc12ca3f

SHA1
b3573e6fbdd86193813c30cf017922f030426f7d

SHA256
966c6f85c4db03ebd46924bb637799eac2cc7e88a3c9bcf4ada696685ef8290c

SHA512
9acbfd93a88f81911873e0e36173f87e9a1530a79970b10c4f83707c0ea3aeba7e3e6dbca5b9261ef65c3fc23b86f736c3c771f836bc6db060b0b6f140aaab55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af71ccebe98ebc31c1c898ee948828f0

SHA1
85066128efabb65a9b4fef0330840fa620422fb0

SHA256
4710886c2267cb2bf619358cad9ae70eb6b2d7bf82364dcd8ee93ecea52c1781

SHA512
060dd410fc9189c73c718f4c7aab672a1ffe31b088aa9b8587a7136beed2bb66652adc6fb316503770d1062201c2cfaaec9cb850fb98479623cb84bfab151554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af71ccebe98ebc31c1c898ee948828f0

SHA1
85066128efabb65a9b4fef0330840fa620422fb0

SHA256
4710886c2267cb2bf619358cad9ae70eb6b2d7bf82364dcd8ee93ecea52c1781

SHA512
060dd410fc9189c73c718f4c7aab672a1ffe31b088aa9b8587a7136beed2bb66652adc6fb316503770d1062201c2cfaaec9cb850fb98479623cb84bfab151554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
22fb5c22d4c0bf8659fd4e2b91a5deb0

SHA1
c8b3092c2442d3efb9ade65a8c10f726ca93a1e6

SHA256
d0d402be399bfb47f485364094c6ef3f8b96ae4bd6ce61710901289bf416e1dd

SHA512
2f0ba17ec3b6cf721e57301c4b7c83af2fd7e695ef16fbdfbf8ed2ac5d57fe347e6f604c5ffcaece52e487b314a9d8dd729405e0153f09df0299c904e0e214cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cd2e5682f861a6f721ea5c6150bb6846

SHA1
442026f0c050ef6c866d80379316e53bc7d7eeb2

SHA256
709ae4b464eca820d914d55c49c865867a5089f82c205131cf00ae37243c447c

SHA512
15597fb8aedf630f6d1523ed7bdc92a388e7bef99c97d54454ea14f855f27d7a31c440ed61dbf4ac015ec12a8a46cc5cf5945f924083b39c699f7b1d478e1820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cd2e5682f861a6f721ea5c6150bb6846

SHA1
442026f0c050ef6c866d80379316e53bc7d7eeb2

SHA256
709ae4b464eca820d914d55c49c865867a5089f82c205131cf00ae37243c447c

SHA512
15597fb8aedf630f6d1523ed7bdc92a388e7bef99c97d54454ea14f855f27d7a31c440ed61dbf4ac015ec12a8a46cc5cf5945f924083b39c699f7b1d478e1820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
267312f778b5fbbaeaa19e38d6b746be

SHA1
64ec7df0273137890009739e0dbfe94f70548b02

SHA256
e7768a4c6634ed7cc6c96030018a87a296ecc328671c7ddcd6a45aa2fcc02f12

SHA512
9701ec50344294d1821229175a5d79d966b633ea0f15d9f5ac127711b7e56e8d4a3917b172d6d9cc2a33fe544aa9c63952d452a01ab2ad464cccbf27b6f89add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
267312f778b5fbbaeaa19e38d6b746be

SHA1
64ec7df0273137890009739e0dbfe94f70548b02

SHA256
e7768a4c6634ed7cc6c96030018a87a296ecc328671c7ddcd6a45aa2fcc02f12

SHA512
9701ec50344294d1821229175a5d79d966b633ea0f15d9f5ac127711b7e56e8d4a3917b172d6d9cc2a33fe544aa9c63952d452a01ab2ad464cccbf27b6f89add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
efef60f4824d2df83d5789b80796d0d9

SHA1
20337f24ba534b339e080f8c110978d4c5da8fed

SHA256
8d921c338f57119474980e6a73321505186c786de3443326aaa2edf801978f45

SHA512
996a0454691ceb6f8a89ff0387823b76bfe0d38a9db73d7d39eeadea8e3aaea9af73da0b016ac3905b8648e45b1bbd068c1eef873398fdc59c36f96f6507e5be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec96b7378412994cef222924df2c9a9f

SHA1
4d585cc38aa270a6119250c2c03702275c89f933

SHA256
15e40a19e1ffdc418c67c0d1a329531dd3bcdb817d5fab0cb512d6cf196a1d50

SHA512
c20731acfabb5803c9db07534882c8147b8a9353253aef59448401ac108ae0729670fef9be555354046b31a184824b2bfdbe729a7457c3a8c8ba50611c1d31e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4fc5cbe8f2464c4d491c2aab7fd5a968

SHA1
a6c034f718d2604bddc90ff09e4e8c08473da823

SHA256
22973851d9d83545381cd194c9a9b7928608dc1f468d418bacb5276bd8f8f454

SHA512
9c454e5cbd3b5deed03ed2bb914756244381a00842bf165df93a06a3d1ba58cba7b62b0fa8106916dfbbdaaba0007f5954525b98ca4a3870eb401c24719cae05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9afb8abf4b203d5fa8ca78fc2588eaa3

SHA1
5105d81403e84a2b91e80e69a7e686436e38f2fc

SHA256
81cd09f38f98fd792671db2d48233d07ff1c31698bcb97094a81e04c3a6a20ac

SHA512
32f2e7d2b21bb5445b1bfb24ec0868e71aa8cd38d3b6e3878c42569e3bb0061a94f1bf12af8eed5b2488f71e9219abb535f86f8ba4a3e586c58256201b57a284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
180a36bb69b4677db53f720833c531c7

SHA1
7233b6c0419e16dca960d69b1f186df098741c7c

SHA256
4729c7adddbd1e120d4896788b191bfe7522b610d2f4a082e22a20f233f945fd

SHA512
c37b94c3f88dab7ab086d564a666cb6f3ebaa34c3be8634aa0c1ce468ef1c35b4eb8c908acc37f4b1494b667f5145104cbc980475aad54caee97ed598fc2a3a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bacda9f90f7601c9f1b0a0afd28f536b

SHA1
7ea7a1bb9cacbe2253fbe8c50c1296bf562159af

SHA256
5e6af2a03084c5c79213d6562691a2320812fc4037266a4228be7c756de8daba

SHA512
ecb6961c4eb2699ae1db58664e0eeae0e8b8bc368273b53481aed1fea21ef0fbc735f53185a1955c43ffa3a72a3b81778ea6aa0aea316559c17794474c9e3791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bacda9f90f7601c9f1b0a0afd28f536b

SHA1
7ea7a1bb9cacbe2253fbe8c50c1296bf562159af

SHA256
5e6af2a03084c5c79213d6562691a2320812fc4037266a4228be7c756de8daba

SHA512
ecb6961c4eb2699ae1db58664e0eeae0e8b8bc368273b53481aed1fea21ef0fbc735f53185a1955c43ffa3a72a3b81778ea6aa0aea316559c17794474c9e3791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
034050778f6af925b3d13cf1061c24af

SHA1
e3ef5de790a2b02a49984a5e5163e48fdb27e054

SHA256
cf006fe3737f2deb7120be1cba149c0102ec1f9e04701159557f3d131e6f39c3

SHA512
87289c30f75eb139ed7a2d8678ece01c4ae3a562861ed79ba99e1b1b6aad7cdc7a1bea4fd9bcf390caec1f39c6e7ee9443e57b5b9e0fa74b002fb0aa4f71d5d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8ca0719eeb2141985725078a02424893

SHA1
5b5966e408570b0f6c230a75111793624eb48f43

SHA256
19df0de3ac031d03089008e172e23e7a0ffbafab05302ca7bc1efb89bf29e9ce

SHA512
6d31ab4b89d25770332ff37902670c2fb33e2e574bd23906c2ffb80a6965e31376e05a8eaf3a876020971155ad775e1c88a2a0d2f7dd1c80dd219b8b56f49693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
90f36d9189d004ca57d68caf9b34efba

SHA1
ac4aa79aeb1561f58adc5271d2da51e59b7758db

SHA256
883cc5a38e9d598235a939c9df57e827ec04f6ba8281b9b0caed8d92ffbb879b

SHA512
4b8467570a1d7e6f96d9ce4cc0e50099f6cfd04fe1d1b6385cac9bb0ef5a68b516c1d4cb69cb959dd791ba03b9a8e41988f822eff71874c6147b4b73da803220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8f311a9b8fd93b79b0174ca90e47dd2a

SHA1
96f883376469e99b405b1fea3018d6d47f2d6438

SHA256
4c99329e2521ac29a72fe27c9424d1507f735e9537f99554f686c954afaacb73

SHA512
e6eb9b003b733b4667fab7d7a5180c7b3e6a10d606df86c5d489465143182e11ba3479ac551ce06a44a4977f52127cf4642d902c3f01777d0869e68c7f865cdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8f311a9b8fd93b79b0174ca90e47dd2a

SHA1
96f883376469e99b405b1fea3018d6d47f2d6438

SHA256
4c99329e2521ac29a72fe27c9424d1507f735e9537f99554f686c954afaacb73

SHA512
e6eb9b003b733b4667fab7d7a5180c7b3e6a10d606df86c5d489465143182e11ba3479ac551ce06a44a4977f52127cf4642d902c3f01777d0869e68c7f865cdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0032b923773238a5b726babe4307980f

SHA1
48bdb0ca4e818c73385a68e25ada1b799a0702c1

SHA256
23a3508ff594a84ae065047e31e64a0a0f198366d44953fda149a020220ac089

SHA512
e5da3e3fb911dcd8f4ee19d17f8f2be1cce667dae3137c31e285a64d1551b1dccd111f08bc950d712230e31ea090ae760ed111610a56abb2f608fecb7ab35402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0032b923773238a5b726babe4307980f

SHA1
48bdb0ca4e818c73385a68e25ada1b799a0702c1

SHA256
23a3508ff594a84ae065047e31e64a0a0f198366d44953fda149a020220ac089

SHA512
e5da3e3fb911dcd8f4ee19d17f8f2be1cce667dae3137c31e285a64d1551b1dccd111f08bc950d712230e31ea090ae760ed111610a56abb2f608fecb7ab35402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bee1a7b4bd466212cb51928487ee119f

SHA1
caa65e1b7593cb606585c66e9b442961fc1ab7d6

SHA256
d580cf5a236bb2fd7d97cc3c690f2e45de7f666a61656d48428d3f12e5d8d517

SHA512
219dd6e44a5494d31ada803538d797e45784dcff7037157d86336062bcee8c427d54598da922aa20506921414fb2f66d1821a20990587b504b8f5e6a5e4fd504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bee1a7b4bd466212cb51928487ee119f

SHA1
caa65e1b7593cb606585c66e9b442961fc1ab7d6

SHA256
d580cf5a236bb2fd7d97cc3c690f2e45de7f666a61656d48428d3f12e5d8d517

SHA512
219dd6e44a5494d31ada803538d797e45784dcff7037157d86336062bcee8c427d54598da922aa20506921414fb2f66d1821a20990587b504b8f5e6a5e4fd504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c9468f9c52b0c823885887d9b0e6399d

SHA1
6f32fd3c0f840f47f215009d25137171afda5b52

SHA256
15720fd5d97348bc0bb82253b8b4b129752233f7d1739224bde075fbf5468043

SHA512
0195387b66ca91ed5c3a3cc8fa183f788b459453e31bf1144d6de9661acdbabd1302537b8498c9ebc6210f0d2bf8366699c36c90d206c85e58b2925b95c3ac5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c9468f9c52b0c823885887d9b0e6399d

SHA1
6f32fd3c0f840f47f215009d25137171afda5b52

SHA256
15720fd5d97348bc0bb82253b8b4b129752233f7d1739224bde075fbf5468043

SHA512
0195387b66ca91ed5c3a3cc8fa183f788b459453e31bf1144d6de9661acdbabd1302537b8498c9ebc6210f0d2bf8366699c36c90d206c85e58b2925b95c3ac5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c9468f9c52b0c823885887d9b0e6399d

SHA1
6f32fd3c0f840f47f215009d25137171afda5b52

SHA256
15720fd5d97348bc0bb82253b8b4b129752233f7d1739224bde075fbf5468043

SHA512
0195387b66ca91ed5c3a3cc8fa183f788b459453e31bf1144d6de9661acdbabd1302537b8498c9ebc6210f0d2bf8366699c36c90d206c85e58b2925b95c3ac5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e606005840c92e4d95e9762fcbd4daf

SHA1
d3386bc13f2c2d5342b04169385595863f091790

SHA256
a33d12f41551cf8625f89830b90bb63b69991ce7eb983f94cc12c37e3f567899

SHA512
af8ab97a3728f3833b1fb1e58a7fa028a73af3b5a7c57d4e540769f9f2f9ed940e8469c42c0c74a03dc2ad04f910d18d5fb9f8a7393c8810d5f4ce5d53b3816d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2d026e98fca0667225a2b01109634b7f

SHA1
bbab94c133a64b6eb7062f1f49e933bd42d369d3

SHA256
e62a49d9da05ee0ce698c762b1a8e51db26485b7783cc148c6d5e212c9ed0033

SHA512
c01574f53d96d4535a079faf390065e4d1f0acacb996647cb3deb842d29de151b5c56b732b34f5949da1b333bf6b645ba6668366c696e71b4dceecd51716c2d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2d026e98fca0667225a2b01109634b7f

SHA1
bbab94c133a64b6eb7062f1f49e933bd42d369d3

SHA256
e62a49d9da05ee0ce698c762b1a8e51db26485b7783cc148c6d5e212c9ed0033

SHA512
c01574f53d96d4535a079faf390065e4d1f0acacb996647cb3deb842d29de151b5c56b732b34f5949da1b333bf6b645ba6668366c696e71b4dceecd51716c2d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
501b2848e5f37200ce91622dd12d2ece

SHA1
be4e1512dcbbf369a7435dbfad6ef312b336d56a

SHA256
3716c0d58f8aeaad515a35b90562b28df88b6cdc6a919a3a216ff98815de5c81

SHA512
fc7fe662e03b038bd7bd001c23071185664d02437979b7922c7d0a1a172b98c1a748bc8f598e78654e40f9027f6a292f528f7f64f7eb58829401c1c545f545ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
445a3fd8d4adfe983630b5bb5946e953

SHA1
d3f24bfc550e262b2421fb407fc0417bfa512943

SHA256
589d5496ddfdaf287a258d517af15739a065146eea04edb5210c11413a0f0c7c

SHA512
ec0137f2c0736853b5816394ca35b881538bbf1fb12825bf37240b1e39658e7780a48202599cf3d1cca043799582ff5945fa907c5c50066feeea9d43cd2ca5ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
445a3fd8d4adfe983630b5bb5946e953

SHA1
d3f24bfc550e262b2421fb407fc0417bfa512943

SHA256
589d5496ddfdaf287a258d517af15739a065146eea04edb5210c11413a0f0c7c

SHA512
ec0137f2c0736853b5816394ca35b881538bbf1fb12825bf37240b1e39658e7780a48202599cf3d1cca043799582ff5945fa907c5c50066feeea9d43cd2ca5ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
445a3fd8d4adfe983630b5bb5946e953

SHA1
d3f24bfc550e262b2421fb407fc0417bfa512943

SHA256
589d5496ddfdaf287a258d517af15739a065146eea04edb5210c11413a0f0c7c

SHA512
ec0137f2c0736853b5816394ca35b881538bbf1fb12825bf37240b1e39658e7780a48202599cf3d1cca043799582ff5945fa907c5c50066feeea9d43cd2ca5ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat

Filesize
221B

MD5
ccc12cb0110176d622093d0908c37e9c

SHA1
387c549c54c0bb69288df77341da95d9b015a11d

SHA256
5f62aad6a30523fc06acace121681dfc1639f92e239ba8992eb62a6121ea6cf4

SHA512
5ab9c6dbb559ab1b39b3c164308b47f2fb1036a3f5dfd82456e12c64a828c1166d32efeb7ba8a066479c9e70ee0e16e5170c689b6ea28fd9f2d380dd604c4ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat

Filesize
221B

MD5
72c59f3ab5cb340023a2d97d9a4889e9

SHA1
c3817cc209486f9b3371c8e0c5377996fc6d7896

SHA256
a1cab1f4d75d5c5978198e79f6e16ab8154df60a627674a522b75f028aac7c5c

SHA512
a1cd6fa8f9f5dd5502c3e634b08ae97025677bb48f32cccb208475c83f48ed33f026d5fddff43977fb75208e150229809f6af0eb5045c3699e0d88df4b2e2802

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSKioGbcuq.bat

Filesize
199B

MD5
f79cd2812078a6daa3deaff36b1a89fc

SHA1
01db0f4e9be30fd35577893a0cd3a9fbafda569d

SHA256
743290dfb34c0542296cec1f6d4451e7940396e50f6437d25188c0a4f578b35f

SHA512
5e9ad3bcade06eb099f1c8ee9b0a9f50199fb1b57b9a04c963350840325c5a4739442debb6f41fa36e26211254c9e0e8744fe16a1cbf442cf39e49727f609f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFqaxwHYeo.bat

Filesize
221B

MD5
2e16605ac0644f5221fd6b19a7c2e466

SHA1
b1188b23024e8db0d08812cfae013a53cd0f5ff0

SHA256
2ad163a171fec963865b9e2710bccdd71a67a35e38bdd560817720eefb369cf2

SHA512
22225a62a035ebceec2dd404826cc9b27df62753cc411d44f6dcde95cac42fc5f4c5ae2df4684f07873ca6ae43ad0f8cfaffb3ed13dfba4312aac959d95723f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat

Filesize
221B

MD5
68aef485e953051f05daa3058ba2975d

SHA1
c125eb3c9141902e5b61d395d316a88e4ac17418

SHA256
2d7dffa6797b52b87a781d9252003f172b9ec755e716b663b5073be7b4169ad4

SHA512
af354b94bf35178d1c6356ad2143bb50a1bdc2424b1dc3fa61b33670a31878c38e95cbf892606325555a62063f1bde18db582ad68f919da6303334cfc9c2f77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat

Filesize
221B

MD5
f4f94c00b32ab8f7b77016787827b10c

SHA1
9e8ed7a4deef5fdaebd124b6ca0b39d074a14f39

SHA256
f34169cf8abb3be94407ab7f2454ab03481e7f94dd09855ee980bf6fc7814c5d

SHA512
0ddf27480839db21c3a267ae826f8f29a0e7968f5c8048eac3fe72c8ecc3344984f7796e31bee65926780940ae83d5e161f07d3b2809fd43c871c61bd4cca5f5

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\5b884080fd4f94

Filesize
881B

MD5
e2a304d299afe3a49396495339b04766

SHA1
5742bb50b1ae8c57ef4c8c87531edf2ea3eeb41c

SHA256
7db3566fe620fc96de0984b38b561b8a3dc8f3ea1c0b6ba2da9db137c537a1a8

SHA512
b2663f80db12e395b00f86bcde0556e232b6dd627c6c6fb6f59cf3d0caec8b5ce7e1a3672eb81cebe38bcccfc099c987603b50d5c0cad9638f95053ea9807cb3

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2020-183-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2020-182-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2244-313-0x000001D5716F0000-0x000001D571766000-memory.dmp

Filesize
472KB

Download
memory/2496-137-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-134-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-118-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-119-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-120-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-122-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-123-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-125-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-126-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-127-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-180-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-128-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-129-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-179-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-130-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-131-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-178-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-117-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-177-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-133-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-132-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-160-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-176-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-136-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-175-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-174-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-138-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-135-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-173-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-172-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-170-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-171-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-167-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-169-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-168-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-166-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-165-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-164-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-163-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-162-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-139-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-140-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-141-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-142-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-143-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-144-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-145-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-161-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-148-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-149-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-151-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-152-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-150-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-147-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-153-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-154-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-155-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-146-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-156-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-159-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-158-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-157-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/3836-283-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/3836-287-0x0000000002500000-0x000000000250C000-memory.dmp

Filesize
48KB

Download
memory/3836-286-0x00000000024F0000-0x00000000024FC000-memory.dmp

Filesize
48KB

Download
memory/3836-285-0x00000000024B0000-0x00000000024BC000-memory.dmp

Filesize
48KB

Download
memory/3836-284-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/3940-303-0x000002282E7C0000-0x000002282E7E2000-memory.dmp

Filesize
136KB

Download
memory/4860-1614-0x0000000001590000-0x00000000015A2000-memory.dmp

Filesize
72KB

Download
memory/5532-1620-0x0000000002D10000-0x0000000002D22000-memory.dmp

Filesize
72KB

Download