dcrat | 7f815c73fba16afab1ebd487649b27b93fd8becb170156ca07781a732fb6fc44

Analysis

max time kernel
146s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
31/10/2022, 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f815c73fba16afab1ebd487649b27b93fd8becb170156ca07781a732fb6fc44.exe
Size

1.3MB
MD5

c8fc3b68b8cbc4f254755f61ceb894c5
SHA1

0b72dfba18ea6fb0b7b24f35e9ad6181358673ae
SHA256

7f815c73fba16afab1ebd487649b27b93fd8becb170156ca07781a732fb6fc44
SHA512

0042c65d8874b491a3e1d0f4573658e7d25bbf2076d22b2dad361e17b3860068f2469a296f695b8320f70b2ccb028b7e9b781da1bc3f22e90b26c7ce572bd0ed
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	3644	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	3644	schtasks.exe	70

DCRat payload 25 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000400000001ac07-284.dat	dcrat
behavioral1/files/0x000400000001ac07-285.dat	dcrat
behavioral1/memory/1616-286-0x00000000005C0000-0x00000000006D0000-memory.dmp	dcrat
behavioral1/files/0x000400000001ac07-330.dat	dcrat
behavioral1/files/0x000600000001ac3e-514.dat	dcrat
behavioral1/files/0x000600000001ac3e-516.dat	dcrat
behavioral1/files/0x000600000001ac3e-519.dat	dcrat
behavioral1/files/0x000600000001ac3e-511.dat	dcrat
behavioral1/files/0x000600000001ac3e-506.dat	dcrat
behavioral1/files/0x000600000001ac3e-503.dat	dcrat
behavioral1/files/0x000600000001ac3e-500.dat	dcrat
behavioral1/files/0x000600000001ac3e-498.dat	dcrat
behavioral1/files/0x000600000001ac48-700.dat	dcrat
behavioral1/files/0x000600000001ac48-701.dat	dcrat
behavioral1/files/0x000600000001ac48-706.dat	dcrat
behavioral1/files/0x000600000001ac48-713.dat	dcrat
behavioral1/files/0x000600000001ac48-718.dat	dcrat
behavioral1/files/0x000600000001ac48-724.dat	dcrat
behavioral1/files/0x000600000001ac48-730.dat	dcrat
behavioral1/files/0x000600000001ac48-735.dat	dcrat
behavioral1/files/0x000600000001ac48-740.dat	dcrat
behavioral1/files/0x000600000001ac48-746.dat	dcrat
behavioral1/files/0x000600000001ac48-751.dat	dcrat
behavioral1/files/0x000600000001ac48-757.dat	dcrat
behavioral1/files/0x000600000001ac48-762.dat	dcrat

Executes dropped EXE 21 IoCs

pid	Process
1616	DllCommonsvc.exe
1836	DllCommonsvc.exe
4624	powershell.exe
4224	powershell.exe
4472	powershell.exe
2380	powershell.exe
4332	powershell.exe
3816	powershell.exe
1900	powershell.exe
4688	taskhostw.exe
3284	taskhostw.exe
4864	taskhostw.exe
4288	taskhostw.exe
3384	taskhostw.exe
4148	taskhostw.exe
4904	taskhostw.exe
5000	taskhostw.exe
4472	taskhostw.exe
4348	taskhostw.exe
2860	taskhostw.exe
760	taskhostw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Windows\System32\GroupPolicy\f8c8f1285d826b	DllCommonsvc.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\e978f868350d50	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Logs\SettingSync\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Logs\SettingSync\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\servicing\fr-FR\sihost.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4712	schtasks.exe
3136	schtasks.exe
876	schtasks.exe
4800	schtasks.exe
1692	schtasks.exe
4752	schtasks.exe
2952	schtasks.exe
4696	schtasks.exe
4456	schtasks.exe
5076	schtasks.exe
432	schtasks.exe
3796	schtasks.exe
1900	schtasks.exe
5076	schtasks.exe
2952	schtasks.exe
4660	schtasks.exe
4016	schtasks.exe
3724	schtasks.exe
2388	schtasks.exe
4948	schtasks.exe
3088	schtasks.exe
4460	schtasks.exe
4572	schtasks.exe
4620	schtasks.exe
4772	schtasks.exe
3904	schtasks.exe
4416	schtasks.exe
1844	schtasks.exe
3688	schtasks.exe
824	schtasks.exe
1900	schtasks.exe
2664	schtasks.exe
4468	schtasks.exe
5096	schtasks.exe
4956	schtasks.exe
3720	schtasks.exe
656	schtasks.exe
4576	schtasks.exe
4892	schtasks.exe
4768	schtasks.exe
4160	schtasks.exe
1624	schtasks.exe
4348	schtasks.exe
3176	schtasks.exe
4740	schtasks.exe
4600	schtasks.exe
4532	schtasks.exe
4616	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	7f815c73fba16afab1ebd487649b27b93fd8becb170156ca07781a732fb6fc44.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1616	DllCommonsvc.exe
1616	DllCommonsvc.exe
1616	DllCommonsvc.exe
1616	DllCommonsvc.exe
1616	DllCommonsvc.exe
1616	DllCommonsvc.exe
1616	DllCommonsvc.exe
1436	powershell.exe
1500	powershell.exe
2024	powershell.exe
1812	powershell.exe
1328	powershell.exe
1644	powershell.exe
312	powershell.exe
2264	powershell.exe
4440	powershell.exe
1068	powershell.exe
2784	powershell.exe
2784	powershell.exe
4440	powershell.exe
4440	powershell.exe
2784	powershell.exe
1812	powershell.exe
1812	powershell.exe
1836	DllCommonsvc.exe
1836	DllCommonsvc.exe
1436	powershell.exe
1436	powershell.exe
1328	powershell.exe
1328	powershell.exe
1500	powershell.exe
1500	powershell.exe
1068	powershell.exe
1068	powershell.exe
1644	powershell.exe
1644	powershell.exe
2024	powershell.exe
2024	powershell.exe
1812	powershell.exe
2784	powershell.exe
2264	powershell.exe
2264	powershell.exe
312	powershell.exe
312	powershell.exe
4440	powershell.exe
1436	powershell.exe
1500	powershell.exe
1836	DllCommonsvc.exe
1836	DllCommonsvc.exe
1068	powershell.exe
2024	powershell.exe
1328	powershell.exe
1644	powershell.exe
2264	powershell.exe
312	powershell.exe
4688	taskhostw.exe
3284	taskhostw.exe
4864	taskhostw.exe
4288	taskhostw.exe
3384	taskhostw.exe
4148	taskhostw.exe
4904	taskhostw.exe
5000	taskhostw.exe
4472	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1616	DllCommonsvc.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1836	DllCommonsvc.exe
Token: SeDebugPrivilege	312	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeIncreaseQuotaPrivilege	1812	powershell.exe
Token: SeSecurityPrivilege	1812	powershell.exe
Token: SeTakeOwnershipPrivilege	1812	powershell.exe
Token: SeLoadDriverPrivilege	1812	powershell.exe
Token: SeSystemProfilePrivilege	1812	powershell.exe
Token: SeSystemtimePrivilege	1812	powershell.exe
Token: SeProfSingleProcessPrivilege	1812	powershell.exe
Token: SeIncBasePriorityPrivilege	1812	powershell.exe
Token: SeCreatePagefilePrivilege	1812	powershell.exe
Token: SeBackupPrivilege	1812	powershell.exe
Token: SeRestorePrivilege	1812	powershell.exe
Token: SeShutdownPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeSystemEnvironmentPrivilege	1812	powershell.exe
Token: SeRemoteShutdownPrivilege	1812	powershell.exe
Token: SeUndockPrivilege	1812	powershell.exe
Token: SeManageVolumePrivilege	1812	powershell.exe
Token: 33	1812	powershell.exe
Token: 34	1812	powershell.exe
Token: 35	1812	powershell.exe
Token: 36	1812	powershell.exe
Token: SeIncreaseQuotaPrivilege	4440	powershell.exe
Token: SeSecurityPrivilege	4440	powershell.exe
Token: SeTakeOwnershipPrivilege	4440	powershell.exe
Token: SeLoadDriverPrivilege	4440	powershell.exe
Token: SeSystemProfilePrivilege	4440	powershell.exe
Token: SeSystemtimePrivilege	4440	powershell.exe
Token: SeProfSingleProcessPrivilege	4440	powershell.exe
Token: SeIncBasePriorityPrivilege	4440	powershell.exe
Token: SeCreatePagefilePrivilege	4440	powershell.exe
Token: SeBackupPrivilege	4440	powershell.exe
Token: SeRestorePrivilege	4440	powershell.exe
Token: SeShutdownPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeSystemEnvironmentPrivilege	4440	powershell.exe
Token: SeRemoteShutdownPrivilege	4440	powershell.exe
Token: SeUndockPrivilege	4440	powershell.exe
Token: SeManageVolumePrivilege	4440	powershell.exe
Token: 33	4440	powershell.exe
Token: 34	4440	powershell.exe
Token: 35	4440	powershell.exe
Token: 36	4440	powershell.exe
Token: SeIncreaseQuotaPrivilege	2784	powershell.exe
Token: SeSecurityPrivilege	2784	powershell.exe
Token: SeTakeOwnershipPrivilege	2784	powershell.exe
Token: SeLoadDriverPrivilege	2784	powershell.exe
Token: SeSystemProfilePrivilege	2784	powershell.exe
Token: SeSystemtimePrivilege	2784	powershell.exe
Token: SeProfSingleProcessPrivilege	2784	powershell.exe
Token: SeIncBasePriorityPrivilege	2784	powershell.exe
Token: SeCreatePagefilePrivilege	2784	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 2036	4808	7f815c73fba16afab1ebd487649b27b93fd8becb170156ca07781a732fb6fc44.exe	66
PID 4808 wrote to memory of 2036	4808	7f815c73fba16afab1ebd487649b27b93fd8becb170156ca07781a732fb6fc44.exe	66
PID 4808 wrote to memory of 2036	4808	7f815c73fba16afab1ebd487649b27b93fd8becb170156ca07781a732fb6fc44.exe	66
PID 2036 wrote to memory of 4384	2036	WScript.exe	67
PID 2036 wrote to memory of 4384	2036	WScript.exe	67
PID 2036 wrote to memory of 4384	2036	WScript.exe	67
PID 4384 wrote to memory of 1616	4384	cmd.exe	69
PID 4384 wrote to memory of 1616	4384	cmd.exe	69
PID 1616 wrote to memory of 1500	1616	DllCommonsvc.exe	101
PID 1616 wrote to memory of 1500	1616	DllCommonsvc.exe	101
PID 1616 wrote to memory of 1436	1616	DllCommonsvc.exe	102
PID 1616 wrote to memory of 1436	1616	DllCommonsvc.exe	102
PID 1616 wrote to memory of 2024	1616	DllCommonsvc.exe	103
PID 1616 wrote to memory of 2024	1616	DllCommonsvc.exe	103
PID 1616 wrote to memory of 1328	1616	DllCommonsvc.exe	105
PID 1616 wrote to memory of 1328	1616	DllCommonsvc.exe	105
PID 1616 wrote to memory of 1812	1616	DllCommonsvc.exe	106
PID 1616 wrote to memory of 1812	1616	DllCommonsvc.exe	106
PID 1616 wrote to memory of 1644	1616	DllCommonsvc.exe	110
PID 1616 wrote to memory of 1644	1616	DllCommonsvc.exe	110
PID 1616 wrote to memory of 312	1616	DllCommonsvc.exe	111
PID 1616 wrote to memory of 312	1616	DllCommonsvc.exe	111
PID 1616 wrote to memory of 2264	1616	DllCommonsvc.exe	113
PID 1616 wrote to memory of 2264	1616	DllCommonsvc.exe	113
PID 1616 wrote to memory of 4440	1616	DllCommonsvc.exe	119
PID 1616 wrote to memory of 4440	1616	DllCommonsvc.exe	119
PID 1616 wrote to memory of 1068	1616	DllCommonsvc.exe	118
PID 1616 wrote to memory of 1068	1616	DllCommonsvc.exe	118
PID 1616 wrote to memory of 2784	1616	DllCommonsvc.exe	116
PID 1616 wrote to memory of 2784	1616	DllCommonsvc.exe	116
PID 1616 wrote to memory of 1836	1616	DllCommonsvc.exe	122
PID 1616 wrote to memory of 1836	1616	DllCommonsvc.exe	122
PID 1836 wrote to memory of 4624	1836	DllCommonsvc.exe	142
PID 1836 wrote to memory of 4624	1836	DllCommonsvc.exe	142
PID 1836 wrote to memory of 4224	1836	DllCommonsvc.exe	143
PID 1836 wrote to memory of 4224	1836	DllCommonsvc.exe	143
PID 1836 wrote to memory of 4472	1836	DllCommonsvc.exe	144
PID 1836 wrote to memory of 4472	1836	DllCommonsvc.exe	144
PID 1836 wrote to memory of 2380	1836	DllCommonsvc.exe	151
PID 1836 wrote to memory of 2380	1836	DllCommonsvc.exe	151
PID 1836 wrote to memory of 4332	1836	DllCommonsvc.exe	145
PID 1836 wrote to memory of 4332	1836	DllCommonsvc.exe	145
PID 1836 wrote to memory of 3816	1836	DllCommonsvc.exe	146
PID 1836 wrote to memory of 3816	1836	DllCommonsvc.exe	146
PID 1836 wrote to memory of 1900	1836	DllCommonsvc.exe	147
PID 1836 wrote to memory of 1900	1836	DllCommonsvc.exe	147
PID 1836 wrote to memory of 4892	1836	DllCommonsvc.exe	148
PID 1836 wrote to memory of 4892	1836	DllCommonsvc.exe	148
PID 4892 wrote to memory of 3428	4892	cmd.exe	152
PID 4892 wrote to memory of 3428	4892	cmd.exe	152
PID 4892 wrote to memory of 4688	4892	cmd.exe	153
PID 4892 wrote to memory of 4688	4892	cmd.exe	153
PID 4688 wrote to memory of 2396	4688	taskhostw.exe	154
PID 4688 wrote to memory of 2396	4688	taskhostw.exe	154
PID 2396 wrote to memory of 4216	2396	cmd.exe	156
PID 2396 wrote to memory of 4216	2396	cmd.exe	156
PID 2396 wrote to memory of 3284	2396	cmd.exe	157
PID 2396 wrote to memory of 3284	2396	cmd.exe	157
PID 3284 wrote to memory of 4696	3284	taskhostw.exe	158
PID 3284 wrote to memory of 4696	3284	taskhostw.exe	158
PID 4696 wrote to memory of 4812	4696	cmd.exe	160
PID 4696 wrote to memory of 4812	4696	cmd.exe	160
PID 4696 wrote to memory of 4864	4696	cmd.exe	161
PID 4696 wrote to memory of 4864	4696	cmd.exe	161

C:\Users\Admin\AppData\Local\Temp\7f815c73fba16afab1ebd487649b27b93fd8becb170156ca07781a732fb6fc44.exe
"C:\Users\Admin\AppData\Local\Temp\7f815c73fba16afab1ebd487649b27b93fd8becb170156ca07781a732fb6fc44.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\GroupPolicy\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Executes dropped EXE
        
        PID:4624
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'
        6⤵
        Executes dropped EXE
        
        PID:4224
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\SettingSync\conhost.exe'
        6⤵
        Executes dropped EXE
        
        PID:4472
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe'
        6⤵
        Executes dropped EXE
        
        PID:4332
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\powershell.exe'
        6⤵
        Executes dropped EXE
        
        PID:3816
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'
        6⤵
        Executes dropped EXE
        
        PID:1900
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pSOgiotY6u.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3428
        
        C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4216
        
        C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4812
        
        C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat"
        12⤵
        
        PID:4988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2788
        
        C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
        14⤵
        
        PID:3352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4776
        
        C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat"
        16⤵
        
        PID:4732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4256
        
        C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat"
        18⤵
        
        PID:704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1068
        
        C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"
        20⤵
        
        PID:4372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4336
        
        C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"
        22⤵
        
        PID:3268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4756
        
        C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"
        24⤵
        
        PID:2208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4680
        
        C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat"
        26⤵
        
        PID:2616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2196
        
        C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
        28⤵
        
        PID:1140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4788
        
        C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe"
        29⤵
        Executes dropped EXE
        
        PID:760
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        6⤵
        Executes dropped EXE
        
        PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\GroupPolicy\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\System32\GroupPolicy\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\GroupPolicy\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SchCache\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\providercommon\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\SettingSync\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Logs\SettingSync\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\SettingSync\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\providercommon\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
b4268d8ae66fdd920476b97a1776bf85

SHA1
f920de54f7467f0970eccc053d3c6c8dd181d49a

SHA256
61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879

SHA512
03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d8950e28442a021f00c77bda379b4108

SHA1
35da9efd0bb24ffafc0578c81e919d2f6d47c2c7

SHA256
674cdd18dbf5c73aacc3f59dc5970c361cea533b414782ed262dc58717a9eea5

SHA512
d468362adaf6d4b076b92534930d3ab619bec9c1cb8d492a53cb747f12fa52bb5deb5ddd2fea5327bd44128a48f1eabed4ab51d40c6d1939e7889e76e56b8c6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
efce649a4aa66667fb5417015a00164e

SHA1
7e4bd0547ca7dfdbfc669393c49092715d2ba6b2

SHA256
d1b8a44ef12f21ee80d242a175a875fc5234c009fecb6043a47125bfd3e35904

SHA512
20fa39fdb40753abc5f6331369d36198d7371b12164c840be10bea4d789101d9febfcad7fe2c30405a6787979464395f07e947cf857c7f6541d86c29f5bf3e61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
efce649a4aa66667fb5417015a00164e

SHA1
7e4bd0547ca7dfdbfc669393c49092715d2ba6b2

SHA256
d1b8a44ef12f21ee80d242a175a875fc5234c009fecb6043a47125bfd3e35904

SHA512
20fa39fdb40753abc5f6331369d36198d7371b12164c840be10bea4d789101d9febfcad7fe2c30405a6787979464395f07e947cf857c7f6541d86c29f5bf3e61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ea8eb4c93b171a1bd8f78c2f8d3c5f91

SHA1
c974b8f55f8e9523e09efcca15e98bbc3fdaecf9

SHA256
c28a2524ce1c2ae80134f7706c2635ebab867c3f72a765c379e52a39f6b33eaa

SHA512
842566248d47165c75a0c8a0c68a5c4a86b53dcaa847bc87e68f009a806cd985845976ae2a0268e7951f580f1cb850398a73e3c18be18d142619b23987b73878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7ba7c3904b630a9698c164deaaba0d61

SHA1
94578648393bb8522681928f3c9da353249bf680

SHA256
2466b23aeaaddaa30b175f4296149aa7b3f84dd02b526ae8ca576819bb950309

SHA512
1143d6db5375a47c0b11a5a402c5fa38eb0cf02675401a9e2003bd94c3c5b241df59868d4263d5a8ba023ef879d83196724cf15a12df82530ba112c89929c73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
da620bfaeb6a2ea4d6aec798488fc184

SHA1
03db0dd14013355038f03a05900db8fe3ac6786a

SHA256
a23995266845201abcc9955807fbe2866d1241995f8fc8d01cd70369b0e76f8e

SHA512
f763b1faaad468f679b45b0ddb66ac8a16a4b6000fd8bc2f5e171f86d413b11bb32ddfc19c00bc02c836f5d56661c1e9749e4619440bc81fd596c256fb93e6c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
da620bfaeb6a2ea4d6aec798488fc184

SHA1
03db0dd14013355038f03a05900db8fe3ac6786a

SHA256
a23995266845201abcc9955807fbe2866d1241995f8fc8d01cd70369b0e76f8e

SHA512
f763b1faaad468f679b45b0ddb66ac8a16a4b6000fd8bc2f5e171f86d413b11bb32ddfc19c00bc02c836f5d56661c1e9749e4619440bc81fd596c256fb93e6c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a9446f2124794b88b756bb4780a83079

SHA1
359c519e348651ac97fdb5cc4688da19961cd2df

SHA256
ad3ffae64d62a65322533d3526f8d74e361c75fea4eac2b4b272c4a73cbb6c24

SHA512
bc3e481531cfa087ec2e7d86ee1f16a0146d14a43f6672fb0f19623565b0ca5c413aa3e21dd2db72c15a7398e0702102a640185323eb05456c65ab23fb2c41a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bbf55dc4985b3f094c012facc2e9b28d

SHA1
f31b626dd0f0a3439f027ba8a437b0cc872c35ac

SHA256
eaecd84a31edef42af6eafc7f2c9514342edd257299073ec86c8528b4b622a63

SHA512
45a8abed24e8459a9c03ff6180a8b524e0a0f7f526a256da55e0d9b0af68d2cfce5394ca05a4ed65169de4a20bef5f77ee6339dd30f8730e6095ba935bc09312

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat

Filesize
231B

MD5
9a6780a865879a1efd12875fbc850e06

SHA1
ba061a8f46c5067b002131c80739d2c1b2501018

SHA256
a14809a9405e81df21e1c66f29184c54b4b54d931415702a38456acfb1034b23

SHA512
52a82310771e7d6f61d64cce3b01480cb7e53290d0f8b28948a96229a16fc6d5860ae9d94d7fe5bae44d37e3ce13356f63bfb563620711572db8e001b94cb83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat

Filesize
231B

MD5
67a17dd8bf811c4c4ebed1a302d2c5d9

SHA1
6f881b055bd9ab7988f67e1db56991dc35973aaa

SHA256
12a6369644f9cf9ee61e236de2739afa886208cd14462cb4ae28844770dc97e6

SHA512
7ce5278bedfa245a1b8c5969d5e603bdd5cf5c9ad0a043e4d617a483058c64be3019f536db34e307876567880d50b707df4145fe4825702081a7d165c296b74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat

Filesize
231B

MD5
18e9029d73518d351c27854d7e79d179

SHA1
529aca820f97798e7e6a53d1bc85898071882b98

SHA256
8193d205af6b3cf41b83ffb6a190769266bf5771d8e2fad0a42125f93443d1e2

SHA512
870ed10118d61ff0c1f5e18dfb6de87c19eed4bb4090f61ec47a298e736040691c34547bb8e9b353a46b080e3d008f10f2b67825d025ce2de9019d1c2c9cad31

Download Submit
C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat

Filesize
231B

MD5
6601e74b2f3ba009faeda7ddc80080af

SHA1
29213565e724398c343aa4f769cdeacd273d67ae

SHA256
ab1e09f1a47f215a509e5388892572bc8f24af08a7eb65a148135d69a5f2efc2

SHA512
8cfc733c073efef40f50a2ead3db9e54f85e6936e28ca2ab324f6f78856cd996494dfdb2256accc3d62a15033c93bc6f21d0c0667933109c135c2bb525e9e479

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

Filesize
231B

MD5
f723ac8980531f9bc0b985bf42faac13

SHA1
fd697441b68c68e7d528bcb70dd5c80b28685485

SHA256
7b216658679cbd7d7b20dc67318e1ade515b388158b98533579118a200d5e1fb

SHA512
4308dd7cbe79e99524074c32b3f7d7fad74deb909b697b0d5c01cc883642c7e3e6d27a21d5adf27736f2711a77a1ba4c22442616918f2af14cd2bad475155f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat

Filesize
231B

MD5
46400d9d45bdff27f47209541c87de79

SHA1
68b81e0241e7f0cd1ef14ccad65ae08596032bfd

SHA256
637ed68d198ebbd3014725a62bd10c539d0c741b2e5555d54e1b4bd2363bbd32

SHA512
a87f1a9b8db2b2968a274363ab56adb24f7efc6dfaf8df270d0665c50b831037e77e964e6a08764dfa570b425b6c70a04093394e41faf55880999961bde7ff7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat

Filesize
231B

MD5
b90dcf04b0fe8fb2e0ce406ec6c00f8e

SHA1
ed0103e08bea84bdb9653cc32f368643df42dd1b

SHA256
3dfbb696a2bb3ffc2cd88cd7e7879b2cd9dc083c039c337467101ab6c41d4eaa

SHA512
13db19b9b6cfabeb76ae74970f0d69806908c21047f9c78eefdf993d4a64f53c815afa0cd75b6c3fffdf18f26b5bef880557b9925327ea31a93a01d6af3081c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat

Filesize
231B

MD5
79cca8d925b1c1b398a183a8a2032d92

SHA1
2d9e3db488612b82f97714c93ab490c6928d4467

SHA256
8380a25db3c2fbd1bae3488213f2c30fffb617bf415d098063bc46396d377e65

SHA512
3394200a28c3dd1654ba7e2d081a474f9e101c850f943705cda1bcc39493d8171b681a3394fb1c4e91b563f0de15c6859639b5538bf0c900e752e01f21462cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat

Filesize
231B

MD5
df088aee88a8b1c0690529f7c19918fc

SHA1
435a9e469c88f173e04e42085024cc3cf6354e80

SHA256
144cf1c19a8a702de81d84d24cfbc25e744e2325e37b3859c0c8cc9954db4f8e

SHA512
2d44aee4a0f0265adf78b98eb79c1090070ad945ddefa08b90d045d71c982ddd659d04d1a0aebda565697803f05b5ab0543cf5c81fa4e3c27d566a9634c9ced4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat

Filesize
231B

MD5
d113595ee49c2c647fd3fb86016884bc

SHA1
7331ab53e0e78c30e2e8243070495f42883b76ff

SHA256
a95ee0aadfe9485c8971699fe2ee4e500755f7e9feea00428e251af0024ecb26

SHA512
869fac33c7db1aedd1c7faf9bc8cccbe57dfc60555c7a1258385cb8fb3cf37c560dcd1403468a5ea127d6b608e8fda7445a85e57147d55d37d804d72c564b925

Download Submit
C:\Users\Admin\AppData\Local\Temp\pSOgiotY6u.bat

Filesize
231B

MD5
1221a7a1f95b65b5bcb703eb62c30459

SHA1
84f2ae7049b7fdda51549354947ce06b21d6d712

SHA256
55cfa8c640b00945e7a9021c845368bafe0f0a39907339928e9489c719945392

SHA512
73401fe227f0958cbf68e5da41fe583eb387269ab8d6981576e407781c89575d146c9b6ba5e4802fcedc65f852bffcb001e03dde0716d27cffb81d54821426e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat

Filesize
231B

MD5
c1fe2c60acb6b31594fe1e48089bd7c7

SHA1
2db486a6022e5d8c21b56caca67a70a42fc38029

SHA256
ce862d824e348b50aac3281cd2462a3f27b7249c0ff5aea0e6268823608bf147

SHA512
140c8a71bb5a0aeff2cd314eae5ddae569515035ea4f63dd58f192a211abe83a916ce8353a3643e2adfab680c677a69cb82fe13ab44fac993f945ac9c0ec374e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1436-347-0x0000024197630000-0x0000024197652000-memory.dmp

Filesize
136KB

Download
memory/1616-286-0x00000000005C0000-0x00000000006D0000-memory.dmp

Filesize
1.1MB

Download
memory/1616-287-0x000000001B120000-0x000000001B132000-memory.dmp

Filesize
72KB

Download
memory/1616-288-0x000000001B130000-0x000000001B13C000-memory.dmp

Filesize
48KB

Download
memory/1616-289-0x000000001B140000-0x000000001B14C000-memory.dmp

Filesize
48KB

Download
memory/1616-290-0x000000001B150000-0x000000001B15C000-memory.dmp

Filesize
48KB

Download
memory/1836-349-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2036-186-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2036-185-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2784-355-0x00000179F82C0000-0x00000179F8336000-memory.dmp

Filesize
472KB

Download
memory/3284-708-0x0000000001670000-0x0000000001682000-memory.dmp

Filesize
72KB

Download
memory/3384-725-0x0000000000910000-0x0000000000922000-memory.dmp

Filesize
72KB

Download
memory/4288-719-0x0000000000800000-0x0000000000812000-memory.dmp

Filesize
72KB

Download
memory/4348-752-0x00000000015E0000-0x00000000015F2000-memory.dmp

Filesize
72KB

Download
memory/4808-168-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-181-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-170-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-167-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-166-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-171-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-165-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-164-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-163-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-162-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-161-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-160-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-159-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-158-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-157-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-172-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-156-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-121-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-122-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-155-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-120-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-154-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-153-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-152-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-173-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-174-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-151-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-150-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-175-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-149-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-148-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-147-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-176-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-146-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-177-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-145-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-144-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-143-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-142-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-141-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-123-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-140-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-178-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-179-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-139-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-125-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-138-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-126-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-137-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-136-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-180-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-135-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-169-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-134-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-133-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-128-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-182-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-132-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-183-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-131-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-129-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-130-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5000-741-0x0000000000FD0000-0x0000000000FE2000-memory.dmp

Filesize
72KB

Download