dcrat | 0ada7d2ad74a1b59a9ae896c6bafd0aa3d7ddef36774a0d62abf0dc643ee4281

Analysis

max time kernel
149s
max time network
153s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
31-10-2022 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ada7d2ad74a1b59a9ae896c6bafd0aa3d7ddef36774a0d62abf0dc643ee4281.exe
Size

1.3MB
MD5

8c776fa7f415827eb0d27282ae6971a9
SHA1

a7afcc92eb7bb4331b0cee12c20dd992ee38d713
SHA256

0ada7d2ad74a1b59a9ae896c6bafd0aa3d7ddef36774a0d62abf0dc643ee4281
SHA512

f89d4b225c1ad578c383a32e86f45d85fa5b4e0b82d685abd963fa8b8ee42c7d12f3b1df9abf9c37f4857df8a00f76782e5418ae5c14addbe815855469ec1585
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	160	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	5024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	5024	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001abcb-282.dat	dcrat
behavioral1/files/0x000600000001abcb-281.dat	dcrat
behavioral1/memory/4248-283-0x0000000000B90000-0x0000000000CA0000-memory.dmp	dcrat
behavioral1/files/0x000600000001abf3-352.dat	dcrat
behavioral1/files/0x000600000001abf3-353.dat	dcrat
behavioral1/files/0x000600000001abf3-822.dat	dcrat
behavioral1/files/0x000600000001abf3-829.dat	dcrat
behavioral1/files/0x000600000001abf3-834.dat	dcrat
behavioral1/files/0x000600000001abf3-840.dat	dcrat
behavioral1/files/0x000600000001abf3-845.dat	dcrat
behavioral1/files/0x000600000001abf3-851.dat	dcrat
behavioral1/files/0x000600000001abf3-857.dat	dcrat
behavioral1/files/0x000600000001abf3-862.dat	dcrat
behavioral1/files/0x000600000001abf3-868.dat	dcrat
behavioral1/files/0x000600000001abf3-873.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
4248	DllCommonsvc.exe
4924	taskhostw.exe
1260	taskhostw.exe
4300	taskhostw.exe
2872	taskhostw.exe
2628	taskhostw.exe
1476	taskhostw.exe
3576	taskhostw.exe
1280	taskhostw.exe
1456	taskhostw.exe
3208	taskhostw.exe
1548	taskhostw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\it-IT\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\it-IT\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\f8c8f1285d826b	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Common Files\DESIGNER\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\DESIGNER\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\ShellExperienceHost.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1516	schtasks.exe
1052	schtasks.exe
1928	schtasks.exe
332	schtasks.exe
4672	schtasks.exe
4588	schtasks.exe
208	schtasks.exe
4792	schtasks.exe
676	schtasks.exe
1300	schtasks.exe
1204	schtasks.exe
2316	schtasks.exe
4376	schtasks.exe
4760	schtasks.exe
3104	schtasks.exe
3792	schtasks.exe
3732	schtasks.exe
448	schtasks.exe
1380	schtasks.exe
1796	schtasks.exe
4704	schtasks.exe
2384	schtasks.exe
2292	schtasks.exe
4628	schtasks.exe
1944	schtasks.exe
4820	schtasks.exe
1664	schtasks.exe
4684	schtasks.exe
4764	schtasks.exe
4828	schtasks.exe
4708	schtasks.exe
460	schtasks.exe
4640	schtasks.exe
160	schtasks.exe
4728	schtasks.exe
4736	schtasks.exe
4812	schtasks.exe
2860	schtasks.exe
1236	schtasks.exe
240	schtasks.exe
4608	schtasks.exe
4788	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	0ada7d2ad74a1b59a9ae896c6bafd0aa3d7ddef36774a0d62abf0dc643ee4281.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
844	powershell.exe
844	powershell.exe
2204	powershell.exe
2204	powershell.exe
2296	powershell.exe
2296	powershell.exe
2620	powershell.exe
2620	powershell.exe
2096	powershell.exe
2096	powershell.exe
772	powershell.exe
772	powershell.exe
2700	powershell.exe
2700	powershell.exe
1836	powershell.exe
1836	powershell.exe
1776	powershell.exe
1776	powershell.exe
3372	powershell.exe
3372	powershell.exe
3920	powershell.exe
3920	powershell.exe
3672	powershell.exe
3672	powershell.exe
5112	powershell.exe
5112	powershell.exe
1344	powershell.exe
1344	powershell.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
3672	powershell.exe
4924	taskhostw.exe
4924	taskhostw.exe
844	powershell.exe
2700	powershell.exe
2204	powershell.exe
1776	powershell.exe
2096	powershell.exe
772	powershell.exe
2296	powershell.exe
3920	powershell.exe
2620	powershell.exe
5112	powershell.exe
1344	powershell.exe
1836	powershell.exe
3372	powershell.exe
3672	powershell.exe
4476	powershell.exe
2204	powershell.exe
2700	powershell.exe
844	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4248	DllCommonsvc.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	4924	taskhostw.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeIncreaseQuotaPrivilege	4476	powershell.exe
Token: SeSecurityPrivilege	4476	powershell.exe
Token: SeTakeOwnershipPrivilege	4476	powershell.exe
Token: SeLoadDriverPrivilege	4476	powershell.exe
Token: SeSystemProfilePrivilege	4476	powershell.exe
Token: SeSystemtimePrivilege	4476	powershell.exe
Token: SeProfSingleProcessPrivilege	4476	powershell.exe
Token: SeIncBasePriorityPrivilege	4476	powershell.exe
Token: SeCreatePagefilePrivilege	4476	powershell.exe
Token: SeBackupPrivilege	4476	powershell.exe
Token: SeRestorePrivilege	4476	powershell.exe
Token: SeShutdownPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeSystemEnvironmentPrivilege	4476	powershell.exe
Token: SeRemoteShutdownPrivilege	4476	powershell.exe
Token: SeUndockPrivilege	4476	powershell.exe
Token: SeManageVolumePrivilege	4476	powershell.exe
Token: 33	4476	powershell.exe
Token: 34	4476	powershell.exe
Token: 35	4476	powershell.exe
Token: 36	4476	powershell.exe
Token: SeIncreaseQuotaPrivilege	3672	powershell.exe
Token: SeSecurityPrivilege	3672	powershell.exe
Token: SeTakeOwnershipPrivilege	3672	powershell.exe
Token: SeLoadDriverPrivilege	3672	powershell.exe
Token: SeSystemProfilePrivilege	3672	powershell.exe
Token: SeSystemtimePrivilege	3672	powershell.exe
Token: SeProfSingleProcessPrivilege	3672	powershell.exe
Token: SeIncBasePriorityPrivilege	3672	powershell.exe
Token: SeCreatePagefilePrivilege	3672	powershell.exe
Token: SeBackupPrivilege	3672	powershell.exe
Token: SeRestorePrivilege	3672	powershell.exe
Token: SeShutdownPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeSystemEnvironmentPrivilege	3672	powershell.exe
Token: SeRemoteShutdownPrivilege	3672	powershell.exe
Token: SeUndockPrivilege	3672	powershell.exe
Token: SeManageVolumePrivilege	3672	powershell.exe
Token: 33	3672	powershell.exe
Token: 34	3672	powershell.exe
Token: 35	3672	powershell.exe
Token: 36	3672	powershell.exe
Token: SeIncreaseQuotaPrivilege	2700	powershell.exe
Token: SeSecurityPrivilege	2700	powershell.exe
Token: SeTakeOwnershipPrivilege	2700	powershell.exe
Token: SeLoadDriverPrivilege	2700	powershell.exe
Token: SeSystemProfilePrivilege	2700	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 4192	2760	0ada7d2ad74a1b59a9ae896c6bafd0aa3d7ddef36774a0d62abf0dc643ee4281.exe	66
PID 2760 wrote to memory of 4192	2760	0ada7d2ad74a1b59a9ae896c6bafd0aa3d7ddef36774a0d62abf0dc643ee4281.exe	66
PID 2760 wrote to memory of 4192	2760	0ada7d2ad74a1b59a9ae896c6bafd0aa3d7ddef36774a0d62abf0dc643ee4281.exe	66
PID 4192 wrote to memory of 4356	4192	WScript.exe	67
PID 4192 wrote to memory of 4356	4192	WScript.exe	67
PID 4192 wrote to memory of 4356	4192	WScript.exe	67
PID 4356 wrote to memory of 4248	4356	cmd.exe	69
PID 4356 wrote to memory of 4248	4356	cmd.exe	69
PID 4248 wrote to memory of 2204	4248	DllCommonsvc.exe	113
PID 4248 wrote to memory of 2204	4248	DllCommonsvc.exe	113
PID 4248 wrote to memory of 844	4248	DllCommonsvc.exe	124
PID 4248 wrote to memory of 844	4248	DllCommonsvc.exe	124
PID 4248 wrote to memory of 1776	4248	DllCommonsvc.exe	114
PID 4248 wrote to memory of 1776	4248	DllCommonsvc.exe	114
PID 4248 wrote to memory of 2096	4248	DllCommonsvc.exe	117
PID 4248 wrote to memory of 2096	4248	DllCommonsvc.exe	117
PID 4248 wrote to memory of 772	4248	DllCommonsvc.exe	115
PID 4248 wrote to memory of 772	4248	DllCommonsvc.exe	115
PID 4248 wrote to memory of 2296	4248	DllCommonsvc.exe	118
PID 4248 wrote to memory of 2296	4248	DllCommonsvc.exe	118
PID 4248 wrote to memory of 2700	4248	DllCommonsvc.exe	120
PID 4248 wrote to memory of 2700	4248	DllCommonsvc.exe	120
PID 4248 wrote to memory of 2620	4248	DllCommonsvc.exe	127
PID 4248 wrote to memory of 2620	4248	DllCommonsvc.exe	127
PID 4248 wrote to memory of 3920	4248	DllCommonsvc.exe	125
PID 4248 wrote to memory of 3920	4248	DllCommonsvc.exe	125
PID 4248 wrote to memory of 3372	4248	DllCommonsvc.exe	129
PID 4248 wrote to memory of 3372	4248	DllCommonsvc.exe	129
PID 4248 wrote to memory of 1836	4248	DllCommonsvc.exe	130
PID 4248 wrote to memory of 1836	4248	DllCommonsvc.exe	130
PID 4248 wrote to memory of 5112	4248	DllCommonsvc.exe	131
PID 4248 wrote to memory of 5112	4248	DllCommonsvc.exe	131
PID 4248 wrote to memory of 3672	4248	DllCommonsvc.exe	133
PID 4248 wrote to memory of 3672	4248	DllCommonsvc.exe	133
PID 4248 wrote to memory of 1344	4248	DllCommonsvc.exe	134
PID 4248 wrote to memory of 1344	4248	DllCommonsvc.exe	134
PID 4248 wrote to memory of 4476	4248	DllCommonsvc.exe	138
PID 4248 wrote to memory of 4476	4248	DllCommonsvc.exe	138
PID 4248 wrote to memory of 4924	4248	DllCommonsvc.exe	141
PID 4248 wrote to memory of 4924	4248	DllCommonsvc.exe	141
PID 4924 wrote to memory of 4660	4924	taskhostw.exe	145
PID 4924 wrote to memory of 4660	4924	taskhostw.exe	145
PID 4660 wrote to memory of 3740	4660	cmd.exe	147
PID 4660 wrote to memory of 3740	4660	cmd.exe	147
PID 4660 wrote to memory of 1260	4660	cmd.exe	148
PID 4660 wrote to memory of 1260	4660	cmd.exe	148
PID 1260 wrote to memory of 3508	1260	taskhostw.exe	149
PID 1260 wrote to memory of 3508	1260	taskhostw.exe	149
PID 3508 wrote to memory of 4492	3508	cmd.exe	151
PID 3508 wrote to memory of 4492	3508	cmd.exe	151
PID 3508 wrote to memory of 4300	3508	cmd.exe	152
PID 3508 wrote to memory of 4300	3508	cmd.exe	152
PID 4300 wrote to memory of 3412	4300	taskhostw.exe	153
PID 4300 wrote to memory of 3412	4300	taskhostw.exe	153
PID 3412 wrote to memory of 2700	3412	cmd.exe	155
PID 3412 wrote to memory of 2700	3412	cmd.exe	155
PID 3412 wrote to memory of 2872	3412	cmd.exe	156
PID 3412 wrote to memory of 2872	3412	cmd.exe	156
PID 2872 wrote to memory of 2244	2872	taskhostw.exe	157
PID 2872 wrote to memory of 2244	2872	taskhostw.exe	157
PID 2244 wrote to memory of 2200	2244	cmd.exe	159
PID 2244 wrote to memory of 2200	2244	cmd.exe	159
PID 2244 wrote to memory of 2628	2244	cmd.exe	160
PID 2244 wrote to memory of 2628	2244	cmd.exe	160

C:\Users\Admin\AppData\Local\Temp\0ada7d2ad74a1b59a9ae896c6bafd0aa3d7ddef36774a0d62abf0dc643ee4281.exe
"C:\Users\Admin\AppData\Local\Temp\0ada7d2ad74a1b59a9ae896c6bafd0aa3d7ddef36774a0d62abf0dc643ee4281.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender Advanced Threat Protection\it-IT\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Media Renderer\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\DESIGNER\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
    - - C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe
        
        "C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3740
        
        C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe
        
        "C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4492
        
        C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe
        
        "C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2700
        
        C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe
        
        "C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2200
        
        C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe
        
        "C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat"
        14⤵
        
        PID:2836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1800
        
        C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe
        
        "C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"
        16⤵
        
        PID:3936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:332
        
        C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe
        
        "C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat"
        18⤵
        
        PID:4748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2220
        
        C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe
        
        "C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat"
        20⤵
        
        PID:3100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4176
        
        C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe
        
        "C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat"
        22⤵
        
        PID:4344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1376
        
        C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe
        
        "C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"
        24⤵
        
        PID:3952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:792
        
        C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe
        
        "C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat"
        26⤵
        
        PID:4668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Templates\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Templates\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Templates\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\DESIGNER\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\DESIGNER\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
554aeb79fd000cc526b52f68bc582eaf

SHA1
01a77eee04e4e430dfa68afb040c7ba798e565ab

SHA256
d3bfa5323de711ecad12d314880005f893482f833535017af41081ce34f3f9f9

SHA512
8573e487531c732a61c47c3602d5cb94c25cfef8ab4a6eae288176bf90ba034b13a5d1ef991a1e510ff83199c9004864eda4ab54af28f55d466fa6321e34b4db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4b3a7f38cc47ec0638026dd9ccbd4c0

SHA1
bf1b2098b4ed949c40cedd8e716879af695c4f33

SHA256
0be0019c621612e34862a0a2ddfe70ce9a1182c3ea5fb9b51a39af1a0ade5c7b

SHA512
8f56dc5055e8c7e965386cc6ad44b4940ab73aa458e33b0205087b354c77bec8f01aa5fa0caa69c5d06718aeeba3575b2906e8ece08aa9dee98b6d5becc17490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4b3a7f38cc47ec0638026dd9ccbd4c0

SHA1
bf1b2098b4ed949c40cedd8e716879af695c4f33

SHA256
0be0019c621612e34862a0a2ddfe70ce9a1182c3ea5fb9b51a39af1a0ade5c7b

SHA512
8f56dc5055e8c7e965386cc6ad44b4940ab73aa458e33b0205087b354c77bec8f01aa5fa0caa69c5d06718aeeba3575b2906e8ece08aa9dee98b6d5becc17490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a63a21df4996553127daf96bfd29802c

SHA1
be2eedd07d4e00e983a9648958973e29d5089e0b

SHA256
13c097870c455efdffc2052f7953185bf84a2b14e7b802ef2d7de5afb92317eb

SHA512
0aad22b2d900ec9e8bf9eae4e9c4323b45adbd9eb4f052393dbe12925c4963d9f24d5b5f1ddfc892a4c511338f52aac5675090eb784c5343d68df0d5113559f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a63a21df4996553127daf96bfd29802c

SHA1
be2eedd07d4e00e983a9648958973e29d5089e0b

SHA256
13c097870c455efdffc2052f7953185bf84a2b14e7b802ef2d7de5afb92317eb

SHA512
0aad22b2d900ec9e8bf9eae4e9c4323b45adbd9eb4f052393dbe12925c4963d9f24d5b5f1ddfc892a4c511338f52aac5675090eb784c5343d68df0d5113559f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
720d8ff8a4f1de355ffc1b3dab917808

SHA1
7be32c4ce79618621a81c99cf01d77b357bb054e

SHA256
075f84c4f54ef2625ed967fec29b9ff0e6e3cfeb39a68a40ef7af95286ce79b4

SHA512
c8872f48f27d12caabb06b8489e8adb9b3b3ef6b6555482831497e064693f3f1353b9e1bacb6a5f6058ea3b8dc1049d294483899d40690154ad5cf799979912f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
720d8ff8a4f1de355ffc1b3dab917808

SHA1
7be32c4ce79618621a81c99cf01d77b357bb054e

SHA256
075f84c4f54ef2625ed967fec29b9ff0e6e3cfeb39a68a40ef7af95286ce79b4

SHA512
c8872f48f27d12caabb06b8489e8adb9b3b3ef6b6555482831497e064693f3f1353b9e1bacb6a5f6058ea3b8dc1049d294483899d40690154ad5cf799979912f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
10a460a0cb2555838f7ec487a8eb0f72

SHA1
e8c9c4a3e55192eb54b47efb37305f0a936e7a60

SHA256
95566ab0d576016fe7bcb03618672190710842e73d20ac7fb1abcd479312eb43

SHA512
8a0dbbc9f85206fad5689d238b48cf21e2d57f5018712db91dd7923939d01f23e0c197a4d4de3ebe2ca78e255ac0833afd0528fa92d1b22f8a022afa33a0ac61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
10a460a0cb2555838f7ec487a8eb0f72

SHA1
e8c9c4a3e55192eb54b47efb37305f0a936e7a60

SHA256
95566ab0d576016fe7bcb03618672190710842e73d20ac7fb1abcd479312eb43

SHA512
8a0dbbc9f85206fad5689d238b48cf21e2d57f5018712db91dd7923939d01f23e0c197a4d4de3ebe2ca78e255ac0833afd0528fa92d1b22f8a022afa33a0ac61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0d95eb17a39fae6213bf5f5acbcaa086

SHA1
86faa453123cfcd8241e85b6ac76e417debea074

SHA256
0f695ba94467be234f93d037be94a6109a11cf706d141a4b452c8cfd81209056

SHA512
ceeca006ee586a7bd68f42e4a6db0255f0ef01e7ad580ab6bbf81cc3f498187caa49d441695a082aab07a4bb0fcc4688f997c13f2d665a4f5aa10c8f8bb2c783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83f2f0b2307684bcb64ee76d910eedd4

SHA1
16cbce5f598910cbbdb7d240a566de677be6b927

SHA256
457922ef0f9dc612ae1293c63d4e2d913dcee75682f8546faf9df8622cd5d6d4

SHA512
22cb8404ca8a8c56b37239908fe55f9aacbf691df2c2cf32eaf8ff43544d9f41417a3bd99070032a71cb0fbe56798eb67a46e3703ad8b3442a73d85a06c8d631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83f2f0b2307684bcb64ee76d910eedd4

SHA1
16cbce5f598910cbbdb7d240a566de677be6b927

SHA256
457922ef0f9dc612ae1293c63d4e2d913dcee75682f8546faf9df8622cd5d6d4

SHA512
22cb8404ca8a8c56b37239908fe55f9aacbf691df2c2cf32eaf8ff43544d9f41417a3bd99070032a71cb0fbe56798eb67a46e3703ad8b3442a73d85a06c8d631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4732f2612ec2049b96ef7f0cef592d02

SHA1
e875ac157cca5255a07f465a8a36626dcf26986d

SHA256
697c7d99cb761282d37a508b17a5db6b51978918cc8a6e4b8b1d630bc07d06ee

SHA512
8d15d8dac1bd66a00dec5bc6523861983d228dc10d38666d0daa9f427f2f248200ac837f28c0fde19a4eb45f9f2aafd59eb1d33ae042196c8dae8e4898ad2aef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4732f2612ec2049b96ef7f0cef592d02

SHA1
e875ac157cca5255a07f465a8a36626dcf26986d

SHA256
697c7d99cb761282d37a508b17a5db6b51978918cc8a6e4b8b1d630bc07d06ee

SHA512
8d15d8dac1bd66a00dec5bc6523861983d228dc10d38666d0daa9f427f2f248200ac837f28c0fde19a4eb45f9f2aafd59eb1d33ae042196c8dae8e4898ad2aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat

Filesize
291B

MD5
7db9e5980f00e65ed9c487e16f8be168

SHA1
59f1c9f13611e515ae11d83517d3954811cfb793

SHA256
9d9d80dde83649ce96a588cadbded561231b826eb09aaabb12c3f283569a0ecd

SHA512
3efa52ae9b7072572d41df23c2c0afba7504a1f17e4c11d3a9f7c0d0c408e0ce8bb725e0181173b94dd17347fa69aed08ea09e95146891c04b18e523af3346c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat

Filesize
291B

MD5
f687e0fac6a0cf29d037b6ec627095cf

SHA1
2718e3b3cf5ac4c4aa7e4fac2f44503c135fe6e8

SHA256
3ef1816dfe3ece4444f882f1690dedbe4983521fc5d82bca2d64e9342af9cd99

SHA512
dda7295ec9d1c34849c2bfaaa50f7f7ba7854d29e343cc23f84319d1ed296aabcf64e90ee16826db458ca21c935259c0849e34b58a65d2fe484b4ccfc3480e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat

Filesize
291B

MD5
7ce7e79601a7a20a137ff627fae5f996

SHA1
94fec1218f032cdff90c58c50cec7c10b1108f97

SHA256
2f01866e29cec5aa70c88e45876c7eeb121560d655b7cfdfa77a0d7c1fb1c285

SHA512
793d65e9fde991ee5f1ac309790e0be365f462b7b3890f8ef8b6541fcb62a964e6298b1af955eaddabd694e27059e70b21d9cd1382b555d044f9d8cdb8f148b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat

Filesize
291B

MD5
d6f34a2ce494e5dbdfa62b7f4948f740

SHA1
34cbfdfec5ed9c810cbde5e638f5cf2fcb39d2e3

SHA256
db1cf60371d12a1ae0d61a6fb626f8d17eca0456a6ccab3c5ad003bd1eece43e

SHA512
d746ce5626bd10a100bc59e5a39db7b57552b84aebacda86c220787a052bad211803e66d672126fc97e3c69f83fad292cd4de68b970b19e3e8fb8b379dd27b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat

Filesize
291B

MD5
856fb4a96819dbf4f1ea4af7dd7cbfec

SHA1
70f5719781fd83a8a476b3faaa81a63f36e394ab

SHA256
129ca8f3ca8f8c199e9716debcd1570625da5412d36a43053a4cc2a12da05cb0

SHA512
dba60523df027827701c6c30add595200302a444768d0c6566eff53be6fa87ef64631bb553489291faab2125e0e606b3ee65c67507e97afe47fe6047df78c220

Download Submit
C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat

Filesize
291B

MD5
1cb86af3254584fe0a73f5508e169a6b

SHA1
94a207c351fc7aa7fbbc2f74e67ff81b7dc8c48d

SHA256
cf2ab38e8d3560afa062c9accb7b63cd2fe30ec1af5cbb0a31b3298e29d3f92d

SHA512
411f571ca6585e103a3455839f2d1fa20b0cbef432dc4b59eb0324f7245585118c958afd7b6cecc6de3a9baf6452ee950d658e3a2a343bec4e6fac99e7a09b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat

Filesize
291B

MD5
10cee028355322fd574de39e1f0de152

SHA1
70a6a5eafb4b9249f2856a92e7d2f7a1b73133ac

SHA256
f09daa1fbad2392c24aee3bdf091a41953707d4b4a1eef683b9f3fd764e30c47

SHA512
82746260f7290bea55822e38f32fad5cc5b381335d9420aaea819db6700941d2d33fab76ccb09b2cc6d3f160835908c0acd7aed81a7a6973da23d77b167f6d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat

Filesize
291B

MD5
f56bd7cb4f882c07072a86a633a47de0

SHA1
49d0c3d565521ee0bbbacf4e1920db35c5d83797

SHA256
3d03c4c24814e03f71c84a3e172b92094ee5babfc38079b88a691af64d88bc50

SHA512
853fdcab9875a03f3ff8fbda04b47bc4a52995da59679d46e355605e344c810bec2b4190c3c752ffca724477c9ab2757d273d5e50f79812591fe914fc8f52607

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat

Filesize
291B

MD5
f98385a05dc2f83d4799127a348c2d43

SHA1
6ce38be4bb8a9ae44da433947900f69716f0f186

SHA256
03414d01911c266910c9d8942a6b489c58cdb0664b8463838dd33f0f815c1992

SHA512
610281852e5b79293d182a3e0db9e9d056acfe86d2521dd6b3c69fe2f9db694ca5b978d2c62baba265436de4f0a6175dec68c2b7b60b1003e29bb3afb517af55

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat

Filesize
291B

MD5
f0a4c9b3748f6dee6b4061fee42203a0

SHA1
3ca6589ef8752ed0b6942e9bfcd1fb677978a8c1

SHA256
0136b83508dc0dbe1a046d51f8adae4f736d47f5b34b259d8a789abcc878b16c

SHA512
245cd1594c7a556a734bbdd86edb3e085586358a15f923e142932fcb9744b5d312f0a7a5f598b90dc34039e97cd555e12cea0cd73b35818e59732ed42f0c5bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat

Filesize
291B

MD5
2429d00fe208ecf620da1e7091fad04a

SHA1
c06925a7566eb948b5b2d7cf77a339659dfc02d0

SHA256
2cc64f56e6eaf0847c636035fc784d897cba29eb33a1e286e27c25a5af749d15

SHA512
b2b5d294a3080a3c9b4cd478a3ea6c9114bea94fc6bf24a773f44a7432311ffb54a1db0c29789b2a4b4cc46ab40e03052621ad49171107ffbaa53178035f6c1f

Download Submit
C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/332-849-0x0000000000000000-mapping.dmp

Download
memory/772-292-0x0000000000000000-mapping.dmp

Download
memory/792-871-0x0000000000000000-mapping.dmp

Download
memory/844-289-0x0000000000000000-mapping.dmp

Download
memory/1260-824-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/1260-821-0x0000000000000000-mapping.dmp

Download
memory/1280-856-0x0000000000000000-mapping.dmp

Download
memory/1344-316-0x0000000000000000-mapping.dmp

Download
memory/1376-866-0x0000000000000000-mapping.dmp

Download
memory/1456-863-0x00000000014A0000-0x00000000014B2000-memory.dmp

Filesize
72KB

Download
memory/1456-861-0x0000000000000000-mapping.dmp

Download
memory/1476-846-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/1476-844-0x0000000000000000-mapping.dmp

Download
memory/1548-872-0x0000000000000000-mapping.dmp

Download
memory/1776-290-0x0000000000000000-mapping.dmp

Download
memory/1800-843-0x0000000000000000-mapping.dmp

Download
memory/1836-302-0x0000000000000000-mapping.dmp

Download
memory/2096-291-0x0000000000000000-mapping.dmp

Download
memory/2200-838-0x0000000000000000-mapping.dmp

Download
memory/2204-288-0x0000000000000000-mapping.dmp

Download
memory/2220-855-0x0000000000000000-mapping.dmp

Download
memory/2224-876-0x0000000000000000-mapping.dmp

Download
memory/2244-836-0x0000000000000000-mapping.dmp

Download
memory/2296-293-0x0000000000000000-mapping.dmp

Download
memory/2620-295-0x0000000000000000-mapping.dmp

Download
memory/2628-839-0x0000000000000000-mapping.dmp

Download
memory/2700-832-0x0000000000000000-mapping.dmp

Download
memory/2700-294-0x0000000000000000-mapping.dmp

Download
memory/2700-364-0x000001DB56120000-0x000001DB56142000-memory.dmp

Filesize
136KB

Download
memory/2760-180-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-166-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-128-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-141-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-118-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-129-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-130-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-131-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-156-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-179-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-133-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-178-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-119-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-177-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-176-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-120-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-142-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-155-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-122-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-175-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-157-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-132-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-134-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-123-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-125-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-173-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-127-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-172-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-169-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-171-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-170-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-168-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-167-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-140-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-165-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-164-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-163-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-162-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-161-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-160-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-159-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-135-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-151-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-137-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-158-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-154-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-126-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-153-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-136-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-138-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-152-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-139-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-174-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-117-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-143-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-150-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-144-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-149-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-148-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-147-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-146-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2760-145-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/2836-841-0x0000000000000000-mapping.dmp

Download
memory/2872-835-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2872-833-0x0000000000000000-mapping.dmp

Download
memory/3100-858-0x0000000000000000-mapping.dmp

Download
memory/3208-867-0x0000000000000000-mapping.dmp

Download
memory/3372-299-0x0000000000000000-mapping.dmp

Download
memory/3412-830-0x0000000000000000-mapping.dmp

Download
memory/3508-825-0x0000000000000000-mapping.dmp

Download
memory/3576-850-0x0000000000000000-mapping.dmp

Download
memory/3576-852-0x0000000001100000-0x0000000001112000-memory.dmp

Filesize
72KB

Download
memory/3672-310-0x0000000000000000-mapping.dmp

Download
memory/3740-764-0x0000000000000000-mapping.dmp

Download
memory/3920-298-0x0000000000000000-mapping.dmp

Download
memory/3936-847-0x0000000000000000-mapping.dmp

Download
memory/3952-869-0x0000000000000000-mapping.dmp

Download
memory/4176-860-0x0000000000000000-mapping.dmp

Download
memory/4192-182-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-183-0x0000000077450000-0x00000000775DE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-181-0x0000000000000000-mapping.dmp

Download
memory/4248-285-0x0000000001440000-0x000000000144C000-memory.dmp

Filesize
48KB

Download
memory/4248-284-0x0000000001430000-0x0000000001442000-memory.dmp

Filesize
72KB

Download
memory/4248-283-0x0000000000B90000-0x0000000000CA0000-memory.dmp

Filesize
1.1MB

Download
memory/4248-280-0x0000000000000000-mapping.dmp

Download
memory/4248-287-0x0000000002D10000-0x0000000002D1C000-memory.dmp

Filesize
48KB

Download
memory/4248-286-0x0000000001450000-0x000000000145C000-memory.dmp

Filesize
48KB

Download
memory/4300-828-0x0000000000000000-mapping.dmp

Download
memory/4344-864-0x0000000000000000-mapping.dmp

Download
memory/4356-257-0x0000000000000000-mapping.dmp

Download
memory/4476-397-0x000001B2BE9C0000-0x000001B2BEA36000-memory.dmp

Filesize
472KB

Download
memory/4476-321-0x0000000000000000-mapping.dmp

Download
memory/4492-827-0x0000000000000000-mapping.dmp

Download
memory/4660-762-0x0000000000000000-mapping.dmp

Download
memory/4668-874-0x0000000000000000-mapping.dmp

Download
memory/4748-853-0x0000000000000000-mapping.dmp

Download
memory/4924-344-0x0000000000000000-mapping.dmp

Download
memory/5112-306-0x0000000000000000-mapping.dmp

Download