dcrat | 5a6e7759b99a8c9d6e688017d9d4544eaba8fa1ba2b02826b35d3167c64c4e96

Analysis

max time kernel
147s
max time network
145s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 01:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5a6e7759b99a8c9d6e688017d9d4544eaba8fa1ba2b02826b35d3167c64c4e96.exe
Size

1.3MB
MD5

f474b03f42b80f95e2b1b0cc53055fa6
SHA1

cb57da177abe27daa042732cd39c2e9626eb2439
SHA256

5a6e7759b99a8c9d6e688017d9d4544eaba8fa1ba2b02826b35d3167c64c4e96
SHA512

e082259410eb61a75b9275a15d6c6ba1dd2236dd7e07f781673ff144ab3e973f76be2f9e01a0de2e27b77c462e4ba719e0deca689413af7279c9aebff3be5c1e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	4424	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	4424	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001abf2-279.dat	dcrat
behavioral1/files/0x000600000001abf2-280.dat	dcrat
behavioral1/memory/4940-281-0x0000000000B90000-0x0000000000CA0000-memory.dmp	dcrat
behavioral1/files/0x000600000001abf2-537.dat	dcrat
behavioral1/files/0x000800000001ac14-863.dat	dcrat
behavioral1/files/0x000800000001ac14-862.dat	dcrat
behavioral1/files/0x000800000001ac14-969.dat	dcrat
behavioral1/files/0x000800000001ac14-975.dat	dcrat
behavioral1/files/0x000800000001ac14-981.dat	dcrat
behavioral1/files/0x000800000001ac14-986.dat	dcrat
behavioral1/files/0x000800000001ac14-991.dat	dcrat
behavioral1/files/0x000800000001ac14-996.dat	dcrat
behavioral1/files/0x000800000001ac14-1002.dat	dcrat
behavioral1/files/0x000800000001ac14-1008.dat	dcrat
behavioral1/files/0x000800000001ac14-1014.dat	dcrat
behavioral1/files/0x000800000001ac14-1020.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
4940	DllCommonsvc.exe
4780	DllCommonsvc.exe
3948	lsass.exe
4984	lsass.exe
4456	lsass.exe
3988	lsass.exe
496	lsass.exe
3056	lsass.exe
4628	lsass.exe
1884	lsass.exe
584	lsass.exe
3460	lsass.exe
1456	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre1.8.0_66\SearchUI.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre1.8.0_66\dab4d89cac03ec	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\en-US\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\en-US\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\en-US\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Registration\CRMLog\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4480	schtasks.exe
4232	schtasks.exe
3596	schtasks.exe
4828	schtasks.exe
4228	schtasks.exe
4364	schtasks.exe
5072	schtasks.exe
4052	schtasks.exe
3324	schtasks.exe
4620	schtasks.exe
3256	schtasks.exe
4564	schtasks.exe
4672	schtasks.exe
1264	schtasks.exe
4380	schtasks.exe
4808	schtasks.exe
2244	schtasks.exe
4496	schtasks.exe
4648	schtasks.exe
4396	schtasks.exe
4384	schtasks.exe
3740	schtasks.exe
4300	schtasks.exe
3328	schtasks.exe
4208	schtasks.exe
4964	schtasks.exe
4328	schtasks.exe
4668	schtasks.exe
3488	schtasks.exe
3856	schtasks.exe
4356	schtasks.exe
4036	schtasks.exe
4892	schtasks.exe
4804	schtasks.exe
3952	schtasks.exe
1928	schtasks.exe
3368	schtasks.exe
2480	schtasks.exe
4896	schtasks.exe
4488	schtasks.exe
4972	schtasks.exe
5044	schtasks.exe
4484	schtasks.exe
4524	schtasks.exe
2968	schtasks.exe
4988	schtasks.exe
5064	schtasks.exe
2092	schtasks.exe
1988	schtasks.exe
1436	schtasks.exe
2244	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	5a6e7759b99a8c9d6e688017d9d4544eaba8fa1ba2b02826b35d3167c64c4e96.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	lsass.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4940	DllCommonsvc.exe
4940	DllCommonsvc.exe
4940	DllCommonsvc.exe
4940	DllCommonsvc.exe
4940	DllCommonsvc.exe
4940	DllCommonsvc.exe
4940	DllCommonsvc.exe
4940	DllCommonsvc.exe
4940	DllCommonsvc.exe
4940	DllCommonsvc.exe
4940	DllCommonsvc.exe
4940	DllCommonsvc.exe
4436	powershell.exe
1860	powershell.exe
656	powershell.exe
4676	powershell.exe
1824	powershell.exe
1392	powershell.exe
1160	powershell.exe
4436	powershell.exe
656	powershell.exe
656	powershell.exe
1160	powershell.exe
1160	powershell.exe
1392	powershell.exe
1392	powershell.exe
1860	powershell.exe
4436	powershell.exe
4676	powershell.exe
656	powershell.exe
1824	powershell.exe
1160	powershell.exe
1392	powershell.exe
1860	powershell.exe
4676	powershell.exe
1824	powershell.exe
4780	DllCommonsvc.exe
4780	DllCommonsvc.exe
4780	DllCommonsvc.exe
4780	DllCommonsvc.exe
4780	DllCommonsvc.exe
4780	DllCommonsvc.exe
4780	DllCommonsvc.exe
420	powershell.exe
420	powershell.exe
420	powershell.exe
1576	powershell.exe
1576	powershell.exe
1576	powershell.exe
652	powershell.exe
652	powershell.exe
3316	powershell.exe
3316	powershell.exe
4624	powershell.exe
4624	powershell.exe
2392	powershell.exe
2392	powershell.exe
420	powershell.exe
652	powershell.exe
2184	powershell.exe
2184	powershell.exe
2392	powershell.exe
4560	powershell.exe
4560	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	DllCommonsvc.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeIncreaseQuotaPrivilege	656	powershell.exe
Token: SeSecurityPrivilege	656	powershell.exe
Token: SeTakeOwnershipPrivilege	656	powershell.exe
Token: SeLoadDriverPrivilege	656	powershell.exe
Token: SeSystemProfilePrivilege	656	powershell.exe
Token: SeSystemtimePrivilege	656	powershell.exe
Token: SeProfSingleProcessPrivilege	656	powershell.exe
Token: SeIncBasePriorityPrivilege	656	powershell.exe
Token: SeCreatePagefilePrivilege	656	powershell.exe
Token: SeBackupPrivilege	656	powershell.exe
Token: SeRestorePrivilege	656	powershell.exe
Token: SeShutdownPrivilege	656	powershell.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeSystemEnvironmentPrivilege	656	powershell.exe
Token: SeRemoteShutdownPrivilege	656	powershell.exe
Token: SeUndockPrivilege	656	powershell.exe
Token: SeManageVolumePrivilege	656	powershell.exe
Token: 33	656	powershell.exe
Token: 34	656	powershell.exe
Token: 35	656	powershell.exe
Token: 36	656	powershell.exe
Token: SeIncreaseQuotaPrivilege	4436	powershell.exe
Token: SeSecurityPrivilege	4436	powershell.exe
Token: SeTakeOwnershipPrivilege	4436	powershell.exe
Token: SeLoadDriverPrivilege	4436	powershell.exe
Token: SeSystemProfilePrivilege	4436	powershell.exe
Token: SeSystemtimePrivilege	4436	powershell.exe
Token: SeProfSingleProcessPrivilege	4436	powershell.exe
Token: SeIncBasePriorityPrivilege	4436	powershell.exe
Token: SeCreatePagefilePrivilege	4436	powershell.exe
Token: SeBackupPrivilege	4436	powershell.exe
Token: SeRestorePrivilege	4436	powershell.exe
Token: SeShutdownPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeSystemEnvironmentPrivilege	4436	powershell.exe
Token: SeRemoteShutdownPrivilege	4436	powershell.exe
Token: SeUndockPrivilege	4436	powershell.exe
Token: SeManageVolumePrivilege	4436	powershell.exe
Token: 33	4436	powershell.exe
Token: 34	4436	powershell.exe
Token: 35	4436	powershell.exe
Token: 36	4436	powershell.exe
Token: SeIncreaseQuotaPrivilege	1392	powershell.exe
Token: SeSecurityPrivilege	1392	powershell.exe
Token: SeTakeOwnershipPrivilege	1392	powershell.exe
Token: SeLoadDriverPrivilege	1392	powershell.exe
Token: SeSystemProfilePrivilege	1392	powershell.exe
Token: SeSystemtimePrivilege	1392	powershell.exe
Token: SeProfSingleProcessPrivilege	1392	powershell.exe
Token: SeIncBasePriorityPrivilege	1392	powershell.exe
Token: SeCreatePagefilePrivilege	1392	powershell.exe
Token: SeBackupPrivilege	1392	powershell.exe
Token: SeRestorePrivilege	1392	powershell.exe
Token: SeShutdownPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeSystemEnvironmentPrivilege	1392	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 4860	2688	5a6e7759b99a8c9d6e688017d9d4544eaba8fa1ba2b02826b35d3167c64c4e96.exe	66
PID 2688 wrote to memory of 4860	2688	5a6e7759b99a8c9d6e688017d9d4544eaba8fa1ba2b02826b35d3167c64c4e96.exe	66
PID 2688 wrote to memory of 4860	2688	5a6e7759b99a8c9d6e688017d9d4544eaba8fa1ba2b02826b35d3167c64c4e96.exe	66
PID 4860 wrote to memory of 3856	4860	WScript.exe	67
PID 4860 wrote to memory of 3856	4860	WScript.exe	67
PID 4860 wrote to memory of 3856	4860	WScript.exe	67
PID 3856 wrote to memory of 4940	3856	cmd.exe	69
PID 3856 wrote to memory of 4940	3856	cmd.exe	69
PID 4940 wrote to memory of 4436	4940	DllCommonsvc.exe	89
PID 4940 wrote to memory of 4436	4940	DllCommonsvc.exe	89
PID 4940 wrote to memory of 1860	4940	DllCommonsvc.exe	91
PID 4940 wrote to memory of 1860	4940	DllCommonsvc.exe	91
PID 4940 wrote to memory of 656	4940	DllCommonsvc.exe	93
PID 4940 wrote to memory of 656	4940	DllCommonsvc.exe	93
PID 4940 wrote to memory of 4676	4940	DllCommonsvc.exe	95
PID 4940 wrote to memory of 4676	4940	DllCommonsvc.exe	95
PID 4940 wrote to memory of 1824	4940	DllCommonsvc.exe	98
PID 4940 wrote to memory of 1824	4940	DllCommonsvc.exe	98
PID 4940 wrote to memory of 1160	4940	DllCommonsvc.exe	97
PID 4940 wrote to memory of 1160	4940	DllCommonsvc.exe	97
PID 4940 wrote to memory of 1392	4940	DllCommonsvc.exe	99
PID 4940 wrote to memory of 1392	4940	DllCommonsvc.exe	99
PID 4940 wrote to memory of 3804	4940	DllCommonsvc.exe	103
PID 4940 wrote to memory of 3804	4940	DllCommonsvc.exe	103
PID 3804 wrote to memory of 2688	3804	cmd.exe	105
PID 3804 wrote to memory of 2688	3804	cmd.exe	105
PID 3804 wrote to memory of 4780	3804	cmd.exe	107
PID 3804 wrote to memory of 4780	3804	cmd.exe	107
PID 4780 wrote to memory of 652	4780	DllCommonsvc.exe	141
PID 4780 wrote to memory of 652	4780	DllCommonsvc.exe	141
PID 4780 wrote to memory of 420	4780	DllCommonsvc.exe	142
PID 4780 wrote to memory of 420	4780	DllCommonsvc.exe	142
PID 4780 wrote to memory of 1576	4780	DllCommonsvc.exe	143
PID 4780 wrote to memory of 1576	4780	DllCommonsvc.exe	143
PID 4780 wrote to memory of 4624	4780	DllCommonsvc.exe	145
PID 4780 wrote to memory of 4624	4780	DllCommonsvc.exe	145
PID 4780 wrote to memory of 3316	4780	DllCommonsvc.exe	147
PID 4780 wrote to memory of 3316	4780	DllCommonsvc.exe	147
PID 4780 wrote to memory of 2392	4780	DllCommonsvc.exe	158
PID 4780 wrote to memory of 2392	4780	DllCommonsvc.exe	158
PID 4780 wrote to memory of 2184	4780	DllCommonsvc.exe	149
PID 4780 wrote to memory of 2184	4780	DllCommonsvc.exe	149
PID 4780 wrote to memory of 4560	4780	DllCommonsvc.exe	150
PID 4780 wrote to memory of 4560	4780	DllCommonsvc.exe	150
PID 4780 wrote to memory of 2740	4780	DllCommonsvc.exe	154
PID 4780 wrote to memory of 2740	4780	DllCommonsvc.exe	154
PID 4780 wrote to memory of 3680	4780	DllCommonsvc.exe	151
PID 4780 wrote to memory of 3680	4780	DllCommonsvc.exe	151
PID 4780 wrote to memory of 512	4780	DllCommonsvc.exe	160
PID 4780 wrote to memory of 512	4780	DllCommonsvc.exe	160
PID 4780 wrote to memory of 4520	4780	DllCommonsvc.exe	161
PID 4780 wrote to memory of 4520	4780	DllCommonsvc.exe	161
PID 4780 wrote to memory of 3116	4780	DllCommonsvc.exe	165
PID 4780 wrote to memory of 3116	4780	DllCommonsvc.exe	165
PID 3116 wrote to memory of 2804	3116	cmd.exe	167
PID 3116 wrote to memory of 2804	3116	cmd.exe	167
PID 3116 wrote to memory of 3948	3116	cmd.exe	168
PID 3116 wrote to memory of 3948	3116	cmd.exe	168
PID 3948 wrote to memory of 4772	3948	lsass.exe	169
PID 3948 wrote to memory of 4772	3948	lsass.exe	169
PID 4772 wrote to memory of 4292	4772	cmd.exe	171
PID 4772 wrote to memory of 4292	4772	cmd.exe	171
PID 4772 wrote to memory of 4984	4772	cmd.exe	172
PID 4772 wrote to memory of 4984	4772	cmd.exe	172

C:\Users\Admin\AppData\Local\Temp\5a6e7759b99a8c9d6e688017d9d4544eaba8fa1ba2b02826b35d3167c64c4e96.exe
"C:\Users\Admin\AppData\Local\Temp\5a6e7759b99a8c9d6e688017d9d4544eaba8fa1ba2b02826b35d3167c64c4e96.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender Advanced Threat Protection\en-US\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\root\Licenses\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1BphuIs2Vs.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3804
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2688
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre1.8.0_66\SearchUI.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender Advanced Threat Protection\sppsvc.exe'
        7⤵
        
        PID:3680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'
        7⤵
        
        PID:2740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
        7⤵
        
        PID:512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\setup\csrss.exe'
        7⤵
        
        PID:4520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OiGayms2lX.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2804
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4292
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
        11⤵
        
        PID:828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4940
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat"
        13⤵
        
        PID:4076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1516
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Iu2jWrKESR.bat"
        15⤵
        
        PID:4204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1576
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat"
        17⤵
        
        PID:4904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3324
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat"
        19⤵
        
        PID:4360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:5044
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"
        21⤵
        
        PID:4300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4888
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat"
        23⤵
        
        PID:4348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3596
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat"
        25⤵
        
        PID:656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1296
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat"
        27⤵
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4304
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        28⤵
        Executes dropped EXE
        
        PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-US\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\root\Licenses\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Licenses\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\root\Licenses\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre1.8.0_66\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files\Java\jre1.8.0_66\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre1.8.0_66\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\odt\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
b4268d8ae66fdd920476b97a1776bf85

SHA1
f920de54f7467f0970eccc053d3c6c8dd181d49a

SHA256
61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879

SHA512
03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
09b0d0aee31eb15971e962706061603e

SHA1
d356c7b4e62420e4778c32981f0c323271af27d1

SHA256
bc34b89ae308b206cc5edaafe99d73f740a6f20c696dd451fbed834aa065e52d

SHA512
17e15adf9a70dbb852db4ac1f51304bd94100dd9401af4a42958d3f6dc58b42c2338b2c0fc650e959ba4814ef908d85ca041cb26cf2cb63bbc8b889a13f480b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
03b85a9fa15bfe09196dee42f62becd2

SHA1
9f286389f535f9caad77a196c4cece116e1cae5e

SHA256
f375ab5951973db2e5efd6881e8698ebcf64e5d73fa70612a2304270f7423554

SHA512
52663ac2462ba6e546e7ea2f7a92afc23554d9cfda1857d57a23c257f5a13aecb9430397b577a0fb6187510223a47220abe0abc318a36c3eb7b0dc923da99f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
03b85a9fa15bfe09196dee42f62becd2

SHA1
9f286389f535f9caad77a196c4cece116e1cae5e

SHA256
f375ab5951973db2e5efd6881e8698ebcf64e5d73fa70612a2304270f7423554

SHA512
52663ac2462ba6e546e7ea2f7a92afc23554d9cfda1857d57a23c257f5a13aecb9430397b577a0fb6187510223a47220abe0abc318a36c3eb7b0dc923da99f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf232aeecd2df725655fed1d94ae6d73

SHA1
134f1eed57fbee1e217d3520506841cf4818c097

SHA256
5bb105c067a980a09d132b2718bfa6e2b7de1a9bb26d65b58def35cf8a8ad665

SHA512
a4d382c46d4b12176aa778809bd99bfbf6fd72ad46208c7b00f85330a76f1ce9b5aaccf509cb4c3d84e46636903af52cf064d25b8c90c2c6bfbe338c9bb8582a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
290e45825e561317a9c88e9eb0af7b8f

SHA1
de7ed4fccff4b9413cfcb58097a4a80865221825

SHA256
f63899fee175ce87d7f9bb261222df66ad263232af514639d0694c3640f4be4f

SHA512
ed278dc4a46510029cc2a0b80a16be7eb273ea4f60f5aa1079142f494860c11a23e1c33db2c9d9d84269b3af5152b7626ba4e4377b8c4f2dd9da383c8cecd8b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4b6934733f5d6a1d8dd9b2b9bc9ddba2

SHA1
7afeef84c189864ad48e6aa84b9d149b1ffc4c3c

SHA256
5b3696e9e24218b8b1041ddffd6c78726c32efb3e36d0b7a5a8c50d7e86b1efc

SHA512
80e78614698ed56b2d6bd056e811ac97370762806c3c72044041940785ded898941d2df92d80e92f4693bfbf63304bc38edbe70cc800bd16fd0b6e99dd23d11f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4b6934733f5d6a1d8dd9b2b9bc9ddba2

SHA1
7afeef84c189864ad48e6aa84b9d149b1ffc4c3c

SHA256
5b3696e9e24218b8b1041ddffd6c78726c32efb3e36d0b7a5a8c50d7e86b1efc

SHA512
80e78614698ed56b2d6bd056e811ac97370762806c3c72044041940785ded898941d2df92d80e92f4693bfbf63304bc38edbe70cc800bd16fd0b6e99dd23d11f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2ede42aa111e9347891c26a9a3310655

SHA1
b705f30932e59cc1e4925289c71cd3f07dd55b30

SHA256
0461d72564f78c0d5f772f87fc1a173c3e35a43395f459e73a9d379970ea23d7

SHA512
0ce343be3ab049d3b14277b35263f80bdfa33356874693c68f3bed6e76c31485e7f8086ff40042d487e8e4c216a386a8bf8a0b0a00f776697d81a4143e752ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
13612df6fcc453b1bc46c8813e6841d7

SHA1
35844e2f13985b110428f81f7e1c28d1063ec649

SHA256
6cd9690fdc55d78f87352100e9e57318ce6f0f455ce98fcc8e1b141d99c2a6c7

SHA512
e9d594924694b6e50f4847f951d9dc06ade2ec69a0f7222563fde2ce018a4802a0dfc572697a9290a1257d91f611b7238d42b497bc3bddda95c3a2bedd44163e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e61585bbb1f68cb1fa5313f30621daba

SHA1
4a00857a54ab20b64ad109b5215cfc71e953d6e2

SHA256
ad871b235f8108213b851c99d064a189557b779d84de5fbf50389a5df285e780

SHA512
c0f89d739edc1c198a96e06bd9be631f2301d1b92e334c7c591317ecdbee73ee5f743f7d89006d8b36e8d1748309fb3103fbd12fe142830328aef49d1545e321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6ca25b8d53cecb0fcb1ffe46e4e23e8b

SHA1
0943c101d2a95a32a03ba401f0afd63ea43873d9

SHA256
c55256445c749c73584a27aae84a385abafb4bd847bc6157e24b66cd2d8b2ac4

SHA512
355636ab5bd4ba219f8e79c4ba59b1dafa28e2dfb139e9007743c2c3f4d9072af26122a51ecdb592accccdaab78263a6971b1edb52a739c6376c3a95039542f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c96e9d6f9a1d59f71a0dfdcc5dfe9d89

SHA1
d033b60412dbe392466a00c432310ef051b6618b

SHA256
54fa5b2fb27f0ebd19de7bc4bfd6221e3cb99eb63d7eb2acc04676c050fd9354

SHA512
64bf5f3251d1215e0d953ebd64f2456c6d568ea361ac99ec5518a9f3138196254b6488abfbb36c420e1ac37dbdf00406932b916459ca3f8542a59492236da159

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
557ec6402f70400812af3e5010567748

SHA1
d3328527d5d5202c0a37554c75b6efb901312520

SHA256
3f95f82a02f7208d4dc176e645693969ef9b94f2222bc8e5b9c63234eda9adb3

SHA512
0c09a313aff49b31ffd48699fe3ade29a0af8bac84d6beb0ee7d26fb8d9a5d3b8786b44cd77e8c166774edb47d0841f926282bb1ec2ddde2c30ca1e55ef2a229

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
557ec6402f70400812af3e5010567748

SHA1
d3328527d5d5202c0a37554c75b6efb901312520

SHA256
3f95f82a02f7208d4dc176e645693969ef9b94f2222bc8e5b9c63234eda9adb3

SHA512
0c09a313aff49b31ffd48699fe3ade29a0af8bac84d6beb0ee7d26fb8d9a5d3b8786b44cd77e8c166774edb47d0841f926282bb1ec2ddde2c30ca1e55ef2a229

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9d08eee6af733d387013e6cb562d0fd1

SHA1
f9b7c440693fc2e6b941b181536bd937f8bc68bf

SHA256
d460631fec6b1160606d45ffdecd677558ac0818cc5879cec612cdf4b3cf461b

SHA512
5b208ce7b99853c1352a7f909dafec2e8e8970bd0b2c24c45143b332b016866fdafdca6c3557ba03332d1d9cc353ff1a2d075d50faef6daa61abd83632a12092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b59c8ef1e76d31c180903d4c13f96e5b

SHA1
8695e3eade69d3a1caac4bad8b688a401827dab3

SHA256
15a0895b5efd3e01c6746b391311ef8ad1fea2a06487cde765d3a0bb73d5089b

SHA512
5e29693adfd0a9ce05583b48a451f40be9d209080370b33e797f46df178af66605f71a168ea10472ca8400c68e0d8d092abcd095185700800842d2c4a5daa600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
429aedde04ce02f1c0a38fa0cbaddb49

SHA1
43286d034970d8ebd191b12e22acdea92d62b653

SHA256
07d67d3d9d478c2cf97eb1017513ccc7a472273f9e018097bcb4958822813819

SHA512
bdacf94c61039dbd4f72547439dd4c304cf173628faa0cddcc9581ba8f8b7fadb8f8f9a7ea5577d336310ff1acdd2a2739d79e7a715d90563277448d2bb7a76d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e3b351ef1a7e384c9077c58cdad7381f

SHA1
1fd6ad76d3b903fb57ebee7643f3cf1a39b2d645

SHA256
c466e13538e24d2ad01bd7d2e295ff1e1987ea24e808c9f64a092438cb632582

SHA512
f35f07d1720a0ae77995dff08d0de268ca82c037e88a2b94e1c8a98dae4f59339bbee7e5593a704e551ed0b588b57e21aff598d100dc036ced022f4a050e6b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BphuIs2Vs.bat

Filesize
199B

MD5
fc38103ec2539c4d0f740d3c0c75c664

SHA1
8359869abbc6e9fb4451b93f16803f0bc3df95ee

SHA256
74e9aa2f2f39967689d68b6a651badb41b75b19abf921265c69d222146157c44

SHA512
d137f96c04524a0b992c518b05c071f2e0ac4d5756fd17ce2b458895915d17a9fc2c727125963001554ea73f9970b9ad5ff8aebf493417b2cc618b43cda10a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat

Filesize
196B

MD5
171712d9ec4b48dd1e3c854bc1e862b9

SHA1
bab67d05e22cbe9e45e720edf76e0fe348530c75

SHA256
b9d76b81a73155de3f145d4e22b9ad7b1653ef97b94d326ca44a1663f051544e

SHA512
e41b137b397f08450d02a303ada1e084ebbb46d0d9513bc12185c31da9209b0effb579e08780c6fcd06836ab170e45ffcec36b3f6c0e92a26242ac179b68bf7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat

Filesize
196B

MD5
9bf7c2a4bddc5425d63eb4ca74e04012

SHA1
daaf1301e10a622db157a4e6f7728ab7eac0c9e3

SHA256
37cad0c5e45731bbe8b2cdadda8aa175c847a200bfa315189662dce149a8c642

SHA512
078e9d81edfc233a3a280d1807fe1a57e8d31da9ddddb30cc541dffc56838c29356c4cac4fa842656b05a57d87ac87bc62bb587906c56fae662d0c836fcde85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat

Filesize
196B

MD5
84b5301bf4b8176c04a73d3edcbb7e49

SHA1
023e12bb3dca144bcfea1b591fe117ca8f31567e

SHA256
881399a43ca72cf95f7d3b511ee375f645e1b2e5ce33a4c7a13fab92478fdae6

SHA512
79cd145f600459153237d359d56bd20dd044fb83cfd1428b92a30cb6d52ac851a94bf209724dcbe407f584d58de8893ecacfde378caf0c7f5807f5413311091e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iu2jWrKESR.bat

Filesize
196B

MD5
d01d8d6890d6123353b85a3dd830bd3b

SHA1
9ec9706478f189d9347e6ccf235254b30e6ac80f

SHA256
d571685e3c05f8b99c37f75cb731ae1b0d565c83ab21edb0e1119d1ea5fff2f7

SHA512
18fc148c5168b9ab4379c28e88c26ab94a09085fe38f68dda91bb0a28775405535d1e45969a06fa6c8fa2e8261da86219238040ffb560ef3e4064c7784d1138c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OiGayms2lX.bat

Filesize
196B

MD5
924499f305862eb3bdfe82d5604ac7f0

SHA1
1e4e91ce0f2f8cd830d64f554460a395a7b88874

SHA256
b3fa8bd1ed14f99fd7a4a883f05375b57213123da7263ce14e999491cb98ab83

SHA512
e87fc5bdc71f08d48a078c51cc6cf23db2028eab4e070415af7a0b2c4239a15bb2d608c82e4e0d2412cb4c307bea4e08e0b4fb422ee5b1dc0a7cb81f7461f8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat

Filesize
196B

MD5
e78436af8a41473cde31f914a03e55c2

SHA1
a784d7c8e4adadc0b40513906f6aaeb57e3f0780

SHA256
9cfccb73852e471401ee4288e22848c61ee67a42efc948784d8aeff7eb5f00dd

SHA512
1c48211e46fab716c702da3cf03963104ea7e03a7b4badc5790ba16fdf9c5f2d395f884c666068bdf7e2886b92b79eb7e03cd90c3d740d3f9352930f438a7ed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat

Filesize
196B

MD5
9a2905794d2517df05dddb350a6aa3b7

SHA1
3115795c8a047e98720b21a3155f0fcd5b0dbd6f

SHA256
f8529907312a3d1570dcf62a576a6488be4bc80e07cf56ffce452e1c69e34138

SHA512
a2e2733f8468db61bd46b1ac949a4c49659442118bc481c3d22a588c6f4f40132e717e896e67b5b60c9e5c2feea1c1ca13339dd50270f68d3b8d39bc10d1d63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat

Filesize
196B

MD5
7a3651f9cd7993190999ef446087a4cb

SHA1
d780f6aff7f019f5982625b9d85454faadddf43c

SHA256
103d7861b00377e7295c460928266c34f513ff1d4021271c17750cbbabf7239e

SHA512
7b719be126cdd29bb899a2c47ed61074a6665f048bc402ed6711cf2abf62d9aa0cbde061e19e643320f1ed22be02f940dd228c7fff47d881aaae3b2fb7e838c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat

Filesize
196B

MD5
540f810986ebe4909a321369a855ff4a

SHA1
c63965cf99417ef39ec805870bbe7f79eb5f31e3

SHA256
6a6cf2b7031c83411720ea9dd0685372abc43fee9a6f036ae0063bd108942eb2

SHA512
0ad0bb78f474fc02fc803256e5e12d034feb900b3efa32051d17b9e7e3a90780e74b260278150ceaf6f63997ab57d2c78d4e407f542cd52f3a9d58e7c05264e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat

Filesize
196B

MD5
685506f9578cf8bc333fe588685e615f

SHA1
984e91bf257935a25c1f58099aa613bf2d9f568a

SHA256
adba3d3be188f37f54d1b9ebe32d647214467b2aef3167f376aa9b39d7d2b6ba

SHA512
5c45022b489b6ab5ca2b5aa6e17f6ccf30b971fcac3973d671ad3a4fe430a5772203db389f567f5181626f7eb99cfe7f278a67e1f1bfb610471f1bb525070d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat

Filesize
196B

MD5
c7572ef921757e530001afc3ec2f057c

SHA1
cecb6db562f26d0f9946408d60eb05c48c12a49c

SHA256
8464304ab7db8eecee2ab9ebf82bbf0a89ca06004ddb9079ca897077e2547a4d

SHA512
3d65b2780fd048ebe8098999ff975eacfd0603110b24e2d8a16539b0a0563cbf5edd37d6190751cd4286a973717b3b1ecba57a71ce25fa6aaa462fe899505fd7

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/584-1009-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/1456-1021-0x00000000010A0000-0x00000000010B2000-memory.dmp

Filesize
72KB

Download
memory/1884-1003-0x00000000012F0000-0x0000000001302000-memory.dmp

Filesize
72KB

Download
memory/2688-163-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-135-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-116-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-117-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-118-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-120-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-143-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-121-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-123-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-124-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-125-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-126-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-127-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-128-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-129-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-130-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-178-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-177-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-176-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-175-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-174-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-131-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-173-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-172-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-171-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-170-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-169-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-132-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-167-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-133-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-134-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-145-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-168-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-144-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-166-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-136-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-138-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-165-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-142-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-164-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-137-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-115-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-162-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-161-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-160-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-159-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-158-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-157-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-156-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-155-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-154-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-153-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-152-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-151-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-139-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-140-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-150-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-149-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-141-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-148-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-147-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-146-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3460-1015-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/4436-322-0x000001ECF8DF0000-0x000001ECF8E12000-memory.dmp

Filesize
136KB

Download
memory/4436-327-0x000001ECF91D0000-0x000001ECF9246000-memory.dmp

Filesize
472KB

Download
memory/4456-976-0x0000000001140000-0x0000000001152000-memory.dmp

Filesize
72KB

Download
memory/4628-997-0x0000000000EF0000-0x0000000000F02000-memory.dmp

Filesize
72KB

Download
memory/4860-180-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/4860-181-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/4940-282-0x0000000002DB0000-0x0000000002DC2000-memory.dmp

Filesize
72KB

Download
memory/4940-281-0x0000000000B90000-0x0000000000CA0000-memory.dmp

Filesize
1.1MB

Download
memory/4940-284-0x0000000002DC0000-0x0000000002DCC000-memory.dmp

Filesize
48KB

Download
memory/4940-283-0x000000001B7B0000-0x000000001B7BC000-memory.dmp

Filesize
48KB

Download
memory/4940-285-0x000000001B7C0000-0x000000001B7CC000-memory.dmp

Filesize
48KB

Download