dcrat | 89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6

Analysis

max time kernel
150s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6.exe
Size

1.3MB
MD5

ca350e5e68dc34e5f3542b32c26d55ee
SHA1

764259e0669a0d4ee80b950f99703ea052e8ee53
SHA256

89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6
SHA512

e28f54a4e027a5e7adaa3bcd890f5fe78cba137fb34b5f985a4f528234eb8988cd4c6cd6019adf117dc29fa4f06b639fa43b7c5a11faf7574cc1f25b23033b07
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	200	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	4984	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	4984	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001abba-284.dat	dcrat
behavioral1/files/0x000900000001abba-285.dat	dcrat
behavioral1/memory/4372-286-0x0000000000730000-0x0000000000840000-memory.dmp	dcrat
behavioral1/files/0x000600000001abe4-661.dat	dcrat
behavioral1/files/0x000600000001abe4-663.dat	dcrat
behavioral1/files/0x000600000001abe4-900.dat	dcrat
behavioral1/files/0x000600000001abe4-906.dat	dcrat
behavioral1/files/0x000600000001abe4-912.dat	dcrat
behavioral1/files/0x000600000001abe4-917.dat	dcrat
behavioral1/files/0x000600000001abe4-923.dat	dcrat
behavioral1/files/0x000600000001abe4-928.dat	dcrat
behavioral1/files/0x000600000001abe4-934.dat	dcrat
behavioral1/files/0x000600000001abe4-939.dat	dcrat
behavioral1/files/0x000600000001abe4-945.dat	dcrat
behavioral1/files/0x000600000001abe4-950.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
4372	DllCommonsvc.exe
4288	lsass.exe
5264	lsass.exe
5512	lsass.exe
5676	lsass.exe
6028	lsass.exe
4344	lsass.exe
5104	lsass.exe
4360	lsass.exe
2364	lsass.exe
1196	lsass.exe
596	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\ClientX64\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\Offline\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\Offline\cc11b995f2a76d	DllCommonsvc.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SearchUI.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dab4d89cac03ec	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\66fc9ff0ee96c2	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\MiracastView\Assets\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\MiracastView\Assets\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\fontdrvhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1876	schtasks.exe
4724	schtasks.exe
1312	schtasks.exe
512	schtasks.exe
2500	schtasks.exe
4904	schtasks.exe
2180	schtasks.exe
4596	schtasks.exe
4420	schtasks.exe
4492	schtasks.exe
4772	schtasks.exe
1416	schtasks.exe
708	schtasks.exe
3348	schtasks.exe
2200	schtasks.exe
2988	schtasks.exe
4696	schtasks.exe
3560	schtasks.exe
4112	schtasks.exe
4684	schtasks.exe
1068	schtasks.exe
2132	schtasks.exe
1984	schtasks.exe
4388	schtasks.exe
2548	schtasks.exe
1832	schtasks.exe
2128	schtasks.exe
864	schtasks.exe
4636	schtasks.exe
4588	schtasks.exe
4760	schtasks.exe
224	schtasks.exe
4352	schtasks.exe
2508	schtasks.exe
3236	schtasks.exe
4788	schtasks.exe
952	schtasks.exe
200	schtasks.exe
2772	schtasks.exe
4556	schtasks.exe
2468	schtasks.exe
4392	schtasks.exe
1012	schtasks.exe
1296	schtasks.exe
2224	schtasks.exe
4404	schtasks.exe
652	schtasks.exe
4928	schtasks.exe
4572	schtasks.exe
2136	schtasks.exe
1664	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4372	DllCommonsvc.exe
4372	DllCommonsvc.exe
4372	DllCommonsvc.exe
4372	DllCommonsvc.exe
4372	DllCommonsvc.exe
4372	DllCommonsvc.exe
4372	DllCommonsvc.exe
4372	DllCommonsvc.exe
4372	DllCommonsvc.exe
4372	DllCommonsvc.exe
4372	DllCommonsvc.exe
4372	DllCommonsvc.exe
4372	DllCommonsvc.exe
4372	DllCommonsvc.exe
4372	DllCommonsvc.exe
2512	powershell.exe
2512	powershell.exe
2472	powershell.exe
2472	powershell.exe
1852	powershell.exe
1852	powershell.exe
2392	powershell.exe
2392	powershell.exe
3144	powershell.exe
3144	powershell.exe
1904	powershell.exe
1904	powershell.exe
3868	powershell.exe
3868	powershell.exe
4812	powershell.exe
4812	powershell.exe
2664	powershell.exe
2664	powershell.exe
4860	powershell.exe
4860	powershell.exe
4860	powershell.exe
3324	powershell.exe
3324	powershell.exe
4000	powershell.exe
4000	powershell.exe
1144	powershell.exe
1144	powershell.exe
2196	powershell.exe
2196	powershell.exe
4948	powershell.exe
4948	powershell.exe
4296	powershell.exe
4296	powershell.exe
1852	powershell.exe
4852	powershell.exe
4852	powershell.exe
4852	powershell.exe
2512	powershell.exe
2512	powershell.exe
2472	powershell.exe
2472	powershell.exe
3324	powershell.exe
3144	powershell.exe
2392	powershell.exe
3868	powershell.exe
4860	powershell.exe
1904	powershell.exe
1144	powershell.exe
4812	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4372	DllCommonsvc.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeIncreaseQuotaPrivilege	4860	powershell.exe
Token: SeSecurityPrivilege	4860	powershell.exe
Token: SeTakeOwnershipPrivilege	4860	powershell.exe
Token: SeLoadDriverPrivilege	4860	powershell.exe
Token: SeSystemProfilePrivilege	4860	powershell.exe
Token: SeSystemtimePrivilege	4860	powershell.exe
Token: SeProfSingleProcessPrivilege	4860	powershell.exe
Token: SeIncBasePriorityPrivilege	4860	powershell.exe
Token: SeCreatePagefilePrivilege	4860	powershell.exe
Token: SeBackupPrivilege	4860	powershell.exe
Token: SeRestorePrivilege	4860	powershell.exe
Token: SeShutdownPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeSystemEnvironmentPrivilege	4860	powershell.exe
Token: SeRemoteShutdownPrivilege	4860	powershell.exe
Token: SeUndockPrivilege	4860	powershell.exe
Token: SeManageVolumePrivilege	4860	powershell.exe
Token: 33	4860	powershell.exe
Token: 34	4860	powershell.exe
Token: 35	4860	powershell.exe
Token: 36	4860	powershell.exe
Token: SeIncreaseQuotaPrivilege	1852	powershell.exe
Token: SeSecurityPrivilege	1852	powershell.exe
Token: SeTakeOwnershipPrivilege	1852	powershell.exe
Token: SeLoadDriverPrivilege	1852	powershell.exe
Token: SeSystemProfilePrivilege	1852	powershell.exe
Token: SeSystemtimePrivilege	1852	powershell.exe
Token: SeProfSingleProcessPrivilege	1852	powershell.exe
Token: SeIncBasePriorityPrivilege	1852	powershell.exe
Token: SeCreatePagefilePrivilege	1852	powershell.exe
Token: SeBackupPrivilege	1852	powershell.exe
Token: SeRestorePrivilege	1852	powershell.exe
Token: SeShutdownPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeSystemEnvironmentPrivilege	1852	powershell.exe
Token: SeRemoteShutdownPrivilege	1852	powershell.exe
Token: SeUndockPrivilege	1852	powershell.exe
Token: SeManageVolumePrivilege	1852	powershell.exe
Token: 33	1852	powershell.exe
Token: 34	1852	powershell.exe
Token: 35	1852	powershell.exe
Token: 36	1852	powershell.exe
Token: SeIncreaseQuotaPrivilege	4852	powershell.exe
Token: SeSecurityPrivilege	4852	powershell.exe
Token: SeTakeOwnershipPrivilege	4852	powershell.exe
Token: SeLoadDriverPrivilege	4852	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 3452	2840	89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6.exe	66
PID 2840 wrote to memory of 3452	2840	89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6.exe	66
PID 2840 wrote to memory of 3452	2840	89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6.exe	66
PID 3452 wrote to memory of 4040	3452	WScript.exe	67
PID 3452 wrote to memory of 4040	3452	WScript.exe	67
PID 3452 wrote to memory of 4040	3452	WScript.exe	67
PID 4040 wrote to memory of 4372	4040	cmd.exe	69
PID 4040 wrote to memory of 4372	4040	cmd.exe	69
PID 4372 wrote to memory of 2472	4372	DllCommonsvc.exe	122
PID 4372 wrote to memory of 2472	4372	DllCommonsvc.exe	122
PID 4372 wrote to memory of 2512	4372	DllCommonsvc.exe	123
PID 4372 wrote to memory of 2512	4372	DllCommonsvc.exe	123
PID 4372 wrote to memory of 2392	4372	DllCommonsvc.exe	124
PID 4372 wrote to memory of 2392	4372	DllCommonsvc.exe	124
PID 4372 wrote to memory of 2336	4372	DllCommonsvc.exe	125
PID 4372 wrote to memory of 2336	4372	DllCommonsvc.exe	125
PID 4372 wrote to memory of 1852	4372	DllCommonsvc.exe	126
PID 4372 wrote to memory of 1852	4372	DllCommonsvc.exe	126
PID 4372 wrote to memory of 3868	4372	DllCommonsvc.exe	127
PID 4372 wrote to memory of 3868	4372	DllCommonsvc.exe	127
PID 4372 wrote to memory of 4812	4372	DllCommonsvc.exe	128
PID 4372 wrote to memory of 4812	4372	DllCommonsvc.exe	128
PID 4372 wrote to memory of 4860	4372	DllCommonsvc.exe	129
PID 4372 wrote to memory of 4860	4372	DllCommonsvc.exe	129
PID 4372 wrote to memory of 3144	4372	DllCommonsvc.exe	130
PID 4372 wrote to memory of 3144	4372	DllCommonsvc.exe	130
PID 4372 wrote to memory of 2196	4372	DllCommonsvc.exe	131
PID 4372 wrote to memory of 2196	4372	DllCommonsvc.exe	131
PID 4372 wrote to memory of 3324	4372	DllCommonsvc.exe	150
PID 4372 wrote to memory of 3324	4372	DllCommonsvc.exe	150
PID 4372 wrote to memory of 1144	4372	DllCommonsvc.exe	132
PID 4372 wrote to memory of 1144	4372	DllCommonsvc.exe	132
PID 4372 wrote to memory of 1904	4372	DllCommonsvc.exe	133
PID 4372 wrote to memory of 1904	4372	DllCommonsvc.exe	133
PID 4372 wrote to memory of 4296	4372	DllCommonsvc.exe	134
PID 4372 wrote to memory of 4296	4372	DllCommonsvc.exe	134
PID 4372 wrote to memory of 2664	4372	DllCommonsvc.exe	135
PID 4372 wrote to memory of 2664	4372	DllCommonsvc.exe	135
PID 4372 wrote to memory of 4948	4372	DllCommonsvc.exe	137
PID 4372 wrote to memory of 4948	4372	DllCommonsvc.exe	137
PID 4372 wrote to memory of 4852	4372	DllCommonsvc.exe	143
PID 4372 wrote to memory of 4852	4372	DllCommonsvc.exe	143
PID 4372 wrote to memory of 4000	4372	DllCommonsvc.exe	139
PID 4372 wrote to memory of 4000	4372	DllCommonsvc.exe	139
PID 4372 wrote to memory of 916	4372	DllCommonsvc.exe	145
PID 4372 wrote to memory of 916	4372	DllCommonsvc.exe	145
PID 916 wrote to memory of 4884	916	cmd.exe	160
PID 916 wrote to memory of 4884	916	cmd.exe	160
PID 916 wrote to memory of 4288	916	cmd.exe	162
PID 916 wrote to memory of 4288	916	cmd.exe	162
PID 4288 wrote to memory of 4640	4288	lsass.exe	163
PID 4288 wrote to memory of 4640	4288	lsass.exe	163
PID 4640 wrote to memory of 5132	4640	cmd.exe	165
PID 4640 wrote to memory of 5132	4640	cmd.exe	165
PID 4640 wrote to memory of 5264	4640	cmd.exe	166
PID 4640 wrote to memory of 5264	4640	cmd.exe	166
PID 5264 wrote to memory of 5424	5264	lsass.exe	167
PID 5264 wrote to memory of 5424	5264	lsass.exe	167
PID 5424 wrote to memory of 5496	5424	cmd.exe	169
PID 5424 wrote to memory of 5496	5424	cmd.exe	169
PID 5424 wrote to memory of 5512	5424	cmd.exe	170
PID 5424 wrote to memory of 5512	5424	cmd.exe	170
PID 5512 wrote to memory of 404	5512	lsass.exe	171
PID 5512 wrote to memory of 404	5512	lsass.exe	171

C:\Users\Admin\AppData\Local\Temp\89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6.exe
"C:\Users\Admin\AppData\Local\Temp\89424902cd52e3b057c13806c9275aa38193ec9fde8d478696890f0abbe4bbc6.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe'
        5⤵
        
        PID:2336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender Advanced Threat Protection\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\MiracastView\Assets\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\Offline\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uC7irrZX3Q.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:916
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4884
      - C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5132
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:5496
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"
        11⤵
        
        PID:404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:5664
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svsOdT1nlB.bat"
        13⤵
        
        PID:5348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:6008
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"
        15⤵
        
        PID:5976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4496
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
        17⤵
        
        PID:4844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4392
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"
        19⤵
        
        PID:4728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3624
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"
        21⤵
        
        PID:5544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1660
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"
        23⤵
        
        PID:756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2452
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"
        25⤵
        
        PID:4832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4588
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        26⤵
        Executes dropped EXE
        
        PID:596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Application Data\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Users\Default\Application Data\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\MiracastView\Assets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\MiracastView\Assets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\MiracastView\Assets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\ModemLogs\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\ModemLogs\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\Offline\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Offline\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\Offline\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Videos\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\odt\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aba0c30fd712d33159c8d62c9352196f

SHA1
226d92544521be66a597cd6f981ec7344c261547

SHA256
9ebfc8da4b61319da692ebc4271185f53744277eb7f42c98895dba2377e6f8af

SHA512
5225ce08e600a269f03c293e7dd5cf1fc624fc5287076fea5f4adb5a1c2e1975fafa60fc1bf68153c0d11cca2f805315767b71b0358d51819e4bef3a43f79c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1cc25bcfe50142304ee26c4e02f2118a

SHA1
17d70905e8e13fbf31afffd655c8226f72fff53d

SHA256
0951a1002e09de1e098a6817efcb27b5381540542b4db5f841d7c8f8a2a7e75e

SHA512
d3c721cffcdc4f5e052b71c694e7eb063fca555155a05476cb9dcf43ec60f223934a8cb79c1159698a0e173dcc81e0b67d7576a0fd092ad8f64e0d3ec7859bdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1e9c3b9e2cbc7d2adbe08a2d491262f2

SHA1
2dc20f23d84a16a0e27953c861fc144f590f1e31

SHA256
60cbaf6b7337b41e0fad8bea2a2b4edbfc66756db6a48b0d3187f76426220096

SHA512
7d2b26dcf690ce9948f4859610723becf48571bf9a35af93be4d338e14ca4d11f7d5544d8427624f41b740375bbc936b8c70ef85156f7174f7a65a1395d0a788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1e9c3b9e2cbc7d2adbe08a2d491262f2

SHA1
2dc20f23d84a16a0e27953c861fc144f590f1e31

SHA256
60cbaf6b7337b41e0fad8bea2a2b4edbfc66756db6a48b0d3187f76426220096

SHA512
7d2b26dcf690ce9948f4859610723becf48571bf9a35af93be4d338e14ca4d11f7d5544d8427624f41b740375bbc936b8c70ef85156f7174f7a65a1395d0a788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c878470b1421dc5f1a906d12542ab918

SHA1
651393e74f720d7ed7160cc71b76658d6f290968

SHA256
a9541ff4c50290d109764cde0d4bfadf5552670d94e2b116457358b7771796b7

SHA512
0e3a9e29df95794bde688b717939a68864f8745a9eb6f223c326d9bba26afb6a5aa526e1d47a127a7e41627a8ed929a5797da27d20bf2d321307f3e150bf4c7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c878470b1421dc5f1a906d12542ab918

SHA1
651393e74f720d7ed7160cc71b76658d6f290968

SHA256
a9541ff4c50290d109764cde0d4bfadf5552670d94e2b116457358b7771796b7

SHA512
0e3a9e29df95794bde688b717939a68864f8745a9eb6f223c326d9bba26afb6a5aa526e1d47a127a7e41627a8ed929a5797da27d20bf2d321307f3e150bf4c7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6bcec28f2f5e1b02a10b3c3d9e7b7c7

SHA1
d12b2ae498ad9c6468948f068e5abd7aa68a84bd

SHA256
0bd8ba9d5b21eeb031d719e9ba1555125d2a422933789356c0d99dac47138ca1

SHA512
df935808bc09e92e1fd92b9f09a05256d9adc6de7825f2b4bf9f7978803a12e5c2f2c5f24c7caa7d416a47197a29bd25c79122faee4156cf4a52369568798456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6bcec28f2f5e1b02a10b3c3d9e7b7c7

SHA1
d12b2ae498ad9c6468948f068e5abd7aa68a84bd

SHA256
0bd8ba9d5b21eeb031d719e9ba1555125d2a422933789356c0d99dac47138ca1

SHA512
df935808bc09e92e1fd92b9f09a05256d9adc6de7825f2b4bf9f7978803a12e5c2f2c5f24c7caa7d416a47197a29bd25c79122faee4156cf4a52369568798456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9400065dc70f78382152e2accb144e84

SHA1
9c965c520dab2958eba9a4e262fa43275980df75

SHA256
3157b06603312bb01f693aa5a6cdcf58383c65dfa458cb8d09abddb6b831dd27

SHA512
b03b8b7ffa32ddc4a601a5f8cbd62c7cf0b20683ab145259ed7fe0cc6a8d28136e9099369229e35de5d52f07a8953bec7c07a265b0999c8a916f2ff1771fefd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
31d53cf6a64fa5b87a53807b2a99df4b

SHA1
2e7ccc8fd85773a914b6700c7ed0312d597f208c

SHA256
6340d41c6cecbdbf3484fc4b3d9583977635d5edf4bdd0b9bec3a120271afa19

SHA512
fac62e11a5dc4b4c48c36c099024501aebf989cc11d3d4a3770afa822b4db0dc390fb08f6faa04f91f0eb64c589c36a3c8804b69aff538e13168e79bb52730ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dde4f152d41531ecd3bf2802fbed4796

SHA1
c0a79b2710e79c1b021dd47f7745a3a514139944

SHA256
4896a963d89a87b2dc2589963ede23ad9b6a72ac896125a9dc528d185cf1f868

SHA512
0f2f18c19c5c440657b0425dc03d8e872426172f2cfc0286a77100685c58ace3117db0dbbbf4335a57f613b8fc23f650db86df79dbb87c4e51cfa9f0436e89d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1bf90fc26e795b97d03a051855e7f226

SHA1
e31c4f1051b81191e9af1aa7c5d817965d8ccb15

SHA256
ceab1d4d35aaba87154694b0d4612ae53f8f7a23949fb3b549b8bac37a713edb

SHA512
419a655d5f562763f3a5be5961a13beaf7ad3350a44510630fb9db5de4435a9babc92e1521fc55d189c2cae58713cb1ee945aa152fedd65d8a4a423c6d6f97f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1bf90fc26e795b97d03a051855e7f226

SHA1
e31c4f1051b81191e9af1aa7c5d817965d8ccb15

SHA256
ceab1d4d35aaba87154694b0d4612ae53f8f7a23949fb3b549b8bac37a713edb

SHA512
419a655d5f562763f3a5be5961a13beaf7ad3350a44510630fb9db5de4435a9babc92e1521fc55d189c2cae58713cb1ee945aa152fedd65d8a4a423c6d6f97f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
11f30533ab7cad94cd9e46c7c33c9eb6

SHA1
13587c3945e13903ff7b1685697b3f57e89c36de

SHA256
fb81e23088b643e10d9d5813fca1d8714f44eaffbafc0309ac32b1499193164e

SHA512
a1837cd150987eb4ffd2d91f0e47761e551ed0ce2bab31b0506805ed30f696c377956d0a09253b0e8dc169ba61f24ab28a0c5436e173725516a9fa7d2c1851a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5d1a9db27188ade006bf02a19521c14c

SHA1
efd36241d4115af513b6556ac39e9e11be23eb3d

SHA256
bf05fb54a49527341adf09d1068dae816719723f1cf2488d389836a220fc8531

SHA512
8c06290373fa0a1edeb1deba9665343253839a87fcc8eec51234c987f6c23339cf5428af042b9a9f30c68f11fb9307662718193d7ee5678f6b3b9b42194211ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
efdda6dd755e71cb59e8723d2ff69871

SHA1
3d0274fadcfedd36308a06fb29cc3985e8f5c268

SHA256
442016687151684d10b554b6f689b885a186a03e6877b1416af82ab667102f85

SHA512
41966bbed36841035706b25cfc9c4d716535c336ae183482ee46617b0c881d33b257ae89e9611a4905773b8b50aba7f08fe7d311c65ab01891ea5d19878503c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat

Filesize
196B

MD5
28e9ce38efb94658a93ccef3dbfb7efb

SHA1
d5168453d128e3caabe4769aa4fcbbe5290dbb71

SHA256
7e721470af9dc65ec31de8273469bbd51074d62360053ac7fb45bf5d7dc76126

SHA512
71f9753c8c83e5e0e1c93a99cc85b96d43dcdbaed4e9b26f7b632e15b08d1c90a62253af2517d592231096ebe32c2054f16b80123ca43bb97cfb92caba2bc9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat

Filesize
196B

MD5
a450665944907d1665756be38cd60a11

SHA1
c1a0b7166bb9fc11ca568be950180adcb8913b22

SHA256
8c5a0f0f055952fdc0a2ff8ca699e226cbc44e0ec805e452b5c72f87ab91a838

SHA512
d95692e37e35a37fd2ef8220cc93f6ebcfe66883e6251f7f3bdfc7f17191ae0f4f53aa017e338dff9d3f7d14af93b04256e03ae603135a4ed52da2379e99efb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat

Filesize
196B

MD5
1d9c6126b6ddad1c9fd6d987f11c9a29

SHA1
81c1294b4ab08500c4cf74cbee85a78800074373

SHA256
5f9fc1b5de258d537fe34fc9dc75c6426f2d4303fedf033eb96364ae63622e4b

SHA512
01cf96b40681410cdd1bdbdf5dd02807fca966264c87899a491b7da41163b79941b8399f5839f70e53241eb50fe7c5716b6b0a8e8ba6dfa017ff0c2b5225d8f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat

Filesize
196B

MD5
89e03cb3a2933eb54b8ee8eb0c1e661b

SHA1
6f4984ab4386e5a49459eeaaa17ca99432d8c38e

SHA256
f6a4becc265c726cfb308f7c8a4798feab474c7a093b1ce529ff6197b3d39d5e

SHA512
1b9f16b9132eaf35101c0851b406b7605f97d2abd806962c3fef1fb74b053c19fb9ff4cca98fc6fe55d085eada609ec5ca383d3a5e53fd8e6b8dbf6fb101b572

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

Filesize
196B

MD5
dd17ada54c912c50fdcab6610523d6d0

SHA1
e17688e024a25286acc7e5fba5d6db1982e6f91d

SHA256
c68786b4996d89791c287f25cdbe53d58f87b9fe09a9b23e75d944c8c162d56f

SHA512
26c98f35615cc409150c8e226004689563862ca2e57d2c18dce5ba08943f7eb95c20bc82a116903adec7c6bfc6ee58110e8f8bb5404e5be5d564af77f4835e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat

Filesize
196B

MD5
f8b32515f1556322cdbd37c56ef36e97

SHA1
fe16bbadc383c43173bc7e2f22edcff6de0e6a62

SHA256
ddf21ea8ed5f436bd83022fea47efcace70281e8f63e9a5fc36152136da45f85

SHA512
0d99b1aac1884ac0f32526853b131391d78a92dfc4defe042fc17683cca7a9f39fdc793f8a2aa2511e1ece154347297a8f2bc5bb1fdeb1bc880106265af90bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat

Filesize
196B

MD5
9a2905794d2517df05dddb350a6aa3b7

SHA1
3115795c8a047e98720b21a3155f0fcd5b0dbd6f

SHA256
f8529907312a3d1570dcf62a576a6488be4bc80e07cf56ffce452e1c69e34138

SHA512
a2e2733f8468db61bd46b1ac949a4c49659442118bc481c3d22a588c6f4f40132e717e896e67b5b60c9e5c2feea1c1ca13339dd50270f68d3b8d39bc10d1d63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat

Filesize
196B

MD5
dfcc0629941093195845927e6e9d364e

SHA1
97aca8a8c8b6a19b0476d7b818b079735e622cc6

SHA256
0debaafc7b4cf7c822496006000da1186c5bd4183244f2196abec4b37a6fb154

SHA512
6c988f9ac1b7c4524a4fe41438ee559baaed68b4a6226415ac4f90be360ae848838f22003c9d90de1b4c234fa9e3b942e14300e2bda50e1b89ad4cf3eb269355

Download Submit
C:\Users\Admin\AppData\Local\Temp\svsOdT1nlB.bat

Filesize
196B

MD5
18ec9297acbb85e328b058bc0e21b198

SHA1
b9bf888bc653c1fc0caac05cde6d9d002c9fd2b4

SHA256
48a80818b30b0a62977bb5584dfd18fde7dd49574ec9602da7c81016000a3761

SHA512
8dc67b96001c4bb31a87cda46c06f1e0bbfe31a7b485c7f71e6d1709f7b071e648cb7f0c1e36cae75d1b3415c20b8c7a1d6c7b15d34bfa7f32e6bad54643c614

Download Submit
C:\Users\Admin\AppData\Local\Temp\uC7irrZX3Q.bat

Filesize
196B

MD5
d085d4ee892241b36e857323ee3ff527

SHA1
29b42f80c746529790027ff21de46d949427d74b

SHA256
3f7e95ea0f89f3558802cc239d1a6b6dcee0320a49fba38b3ff78a185ddfcf53

SHA512
fda2ec4a204d2e02effcd1ba5b1eaa88a8ca245dab2c458034d1736e0882a7c45dcaca4cbe7a7e87f8064bef000d1f3ebb4146a620cea8f068cacc83687df6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat

Filesize
196B

MD5
89cdec4ec8d4fac7f5ce7be84ff61dec

SHA1
3dab5fc74d88745f486d49c3a8e462ed54aa1260

SHA256
d935fd95bd59c8ab63a0a9eede93981c825f8d41d2f1f6bf6d5088cb76ada0ff

SHA512
765d9302e2064e354f7a5944fd36f490468c1fc27974ea12463969111ca16124f8dee2c5c3e904cc41b2e76f94a8111813b6dec13b861f1657b9f152b107b4d5

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/596-951-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2364-940-0x0000000000850000-0x0000000000862000-memory.dmp

Filesize
72KB

Download
memory/2512-371-0x000001E45D700000-0x000001E45D722000-memory.dmp

Filesize
136KB

Download
memory/2840-166-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-154-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-121-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-122-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-123-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-125-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-126-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-128-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-129-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-130-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-131-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-183-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-132-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-182-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-133-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-135-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-136-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-181-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-134-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-180-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-179-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-178-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-177-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-137-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-138-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-139-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-140-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-176-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-175-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-174-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-173-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-141-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-172-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-143-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-142-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-171-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-170-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-144-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-145-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-169-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-146-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-168-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-167-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-120-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-165-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-164-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-162-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-163-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-161-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-160-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-159-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-158-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-157-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-156-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-155-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-147-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-153-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-152-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-148-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-151-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-150-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-149-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/3452-185-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/3452-186-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/4288-752-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/4372-286-0x0000000000730000-0x0000000000840000-memory.dmp

Filesize
1.1MB

Download
memory/4372-287-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

Filesize
72KB

Download
memory/4372-289-0x00000000027A0000-0x00000000027AC000-memory.dmp

Filesize
48KB

Download
memory/4372-290-0x00000000027B0000-0x00000000027BC000-memory.dmp

Filesize
48KB

Download
memory/4372-288-0x00000000027C0000-0x00000000027CC000-memory.dmp

Filesize
48KB

Download
memory/4860-382-0x0000023020680000-0x00000230206F6000-memory.dmp

Filesize
472KB

Download
memory/5104-929-0x0000000000940000-0x0000000000952000-memory.dmp

Filesize
72KB

Download
memory/5512-907-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

Filesize
72KB

Download
memory/6028-918-0x0000000001440000-0x0000000001452000-memory.dmp

Filesize
72KB

Download