dcrat | f716931b4b144dedf370a505230b004da77b2f22f9ea862a5a39fcbc04576cc2

Analysis

max time kernel
145s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
01-11-2022 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f716931b4b144dedf370a505230b004da77b2f22f9ea862a5a39fcbc04576cc2.exe
Size

1.3MB
MD5

d8fa7091b6aa503ec12f4655c4d993b0
SHA1

6b1f5379c8dd1eea3ab9ce864f80e488c3b4244b
SHA256

f716931b4b144dedf370a505230b004da77b2f22f9ea862a5a39fcbc04576cc2
SHA512

0638e7ff2030ee8ea55af03f881316336dd513ad714f180c30cd18b5821e2b51ae7b81cc2e5be2e99177c0eb81d50e40b2ec412e50c66176855fb535281da827
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	96	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	164	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	4148	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	4148	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001ac16-281.dat	dcrat
behavioral1/files/0x000900000001ac16-282.dat	dcrat
behavioral1/memory/4588-283-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac4f-709.dat	dcrat
behavioral1/files/0x000600000001ac4f-708.dat	dcrat
behavioral1/files/0x000600000001ac4f-966.dat	dcrat
behavioral1/files/0x000600000001ac4f-972.dat	dcrat
behavioral1/files/0x000600000001ac4f-977.dat	dcrat
behavioral1/files/0x000600000001ac4f-983.dat	dcrat
behavioral1/files/0x000600000001ac4f-988.dat	dcrat
behavioral1/files/0x000600000001ac4f-994.dat	dcrat
behavioral1/files/0x000600000001ac4f-1000.dat	dcrat
behavioral1/files/0x000600000001ac4f-1006.dat	dcrat
behavioral1/files/0x000600000001ac4f-1012.dat	dcrat
behavioral1/files/0x000600000001ac4f-1017.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
4588	DllCommonsvc.exe
5572	fontdrvhost.exe
5280	fontdrvhost.exe
5312	fontdrvhost.exe
5256	fontdrvhost.exe
5856	fontdrvhost.exe
4988	fontdrvhost.exe
4424	fontdrvhost.exe
2808	fontdrvhost.exe
1808	fontdrvhost.exe
1360	fontdrvhost.exe
4752	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\5b884080fd4f94	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4796	schtasks.exe
392	schtasks.exe
2916	schtasks.exe
4412	schtasks.exe
2676	schtasks.exe
4612	schtasks.exe
1320	schtasks.exe
4880	schtasks.exe
1688	schtasks.exe
2856	schtasks.exe
2716	schtasks.exe
1316	schtasks.exe
1876	schtasks.exe
2232	schtasks.exe
4872	schtasks.exe
4688	schtasks.exe
1496	schtasks.exe
224	schtasks.exe
4736	schtasks.exe
3324	schtasks.exe
4696	schtasks.exe
4832	schtasks.exe
4720	schtasks.exe
164	schtasks.exe
1104	schtasks.exe
856	schtasks.exe
96	schtasks.exe
2292	schtasks.exe
2544	schtasks.exe
1248	schtasks.exe
4432	schtasks.exe
2248	schtasks.exe
4416	schtasks.exe
4876	schtasks.exe
4060	schtasks.exe
4436	schtasks.exe
676	schtasks.exe
624	schtasks.exe
2072	schtasks.exe
3116	schtasks.exe
4464	schtasks.exe
2484	schtasks.exe
2332	schtasks.exe
3176	schtasks.exe
900	schtasks.exe
844	schtasks.exe
4396	schtasks.exe
2108	schtasks.exe
1528	schtasks.exe
1480	schtasks.exe
208	schtasks.exe
1156	schtasks.exe
4816	schtasks.exe
3928	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	f716931b4b144dedf370a505230b004da77b2f22f9ea862a5a39fcbc04576cc2.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
2016	powershell.exe
2016	powershell.exe
1904	powershell.exe
1904	powershell.exe
3796	powershell.exe
3796	powershell.exe
2828	powershell.exe
2828	powershell.exe
1500	powershell.exe
1500	powershell.exe
3916	powershell.exe
3916	powershell.exe
4956	powershell.exe
4956	powershell.exe
4660	powershell.exe
4660	powershell.exe
3456	powershell.exe
3456	powershell.exe
1424	powershell.exe
1424	powershell.exe
3468	powershell.exe
3468	powershell.exe
4092	powershell.exe
4092	powershell.exe
4992	powershell.exe
4992	powershell.exe
4280	powershell.exe
4280	powershell.exe
5028	powershell.exe
5028	powershell.exe
4532	powershell.exe
4532	powershell.exe
4932	powershell.exe
4932	powershell.exe
3468	powershell.exe
4492	powershell.exe
4492	powershell.exe
3456	powershell.exe
4532	powershell.exe
4012	powershell.exe
4012	powershell.exe
4992	powershell.exe
4012	powershell.exe
2016	powershell.exe
2016	powershell.exe
1904	powershell.exe
1904	powershell.exe
3796	powershell.exe
3796	powershell.exe
4532	powershell.exe
2828	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4588	DllCommonsvc.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeIncreaseQuotaPrivilege	4532	powershell.exe
Token: SeSecurityPrivilege	4532	powershell.exe
Token: SeTakeOwnershipPrivilege	4532	powershell.exe
Token: SeLoadDriverPrivilege	4532	powershell.exe
Token: SeSystemProfilePrivilege	4532	powershell.exe
Token: SeSystemtimePrivilege	4532	powershell.exe
Token: SeProfSingleProcessPrivilege	4532	powershell.exe
Token: SeIncBasePriorityPrivilege	4532	powershell.exe
Token: SeCreatePagefilePrivilege	4532	powershell.exe
Token: SeBackupPrivilege	4532	powershell.exe
Token: SeRestorePrivilege	4532	powershell.exe
Token: SeShutdownPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeSystemEnvironmentPrivilege	4532	powershell.exe
Token: SeRemoteShutdownPrivilege	4532	powershell.exe
Token: SeUndockPrivilege	4532	powershell.exe
Token: SeManageVolumePrivilege	4532	powershell.exe
Token: 33	4532	powershell.exe
Token: 34	4532	powershell.exe
Token: 35	4532	powershell.exe
Token: 36	4532	powershell.exe
Token: SeIncreaseQuotaPrivilege	4992	powershell.exe
Token: SeSecurityPrivilege	4992	powershell.exe
Token: SeTakeOwnershipPrivilege	4992	powershell.exe
Token: SeLoadDriverPrivilege	4992	powershell.exe
Token: SeSystemProfilePrivilege	4992	powershell.exe
Token: SeSystemtimePrivilege	4992	powershell.exe
Token: SeProfSingleProcessPrivilege	4992	powershell.exe
Token: SeIncBasePriorityPrivilege	4992	powershell.exe
Token: SeCreatePagefilePrivilege	4992	powershell.exe
Token: SeBackupPrivilege	4992	powershell.exe
Token: SeRestorePrivilege	4992	powershell.exe
Token: SeShutdownPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeSystemEnvironmentPrivilege	4992	powershell.exe
Token: SeRemoteShutdownPrivilege	4992	powershell.exe
Token: SeUndockPrivilege	4992	powershell.exe
Token: SeManageVolumePrivilege	4992	powershell.exe
Token: 33	4992	powershell.exe
Token: 34	4992	powershell.exe
Token: 35	4992	powershell.exe
Token: 36	4992	powershell.exe
Token: SeIncreaseQuotaPrivilege	3456	powershell.exe
Token: SeSecurityPrivilege	3456	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 3704	4888	f716931b4b144dedf370a505230b004da77b2f22f9ea862a5a39fcbc04576cc2.exe	66
PID 4888 wrote to memory of 3704	4888	f716931b4b144dedf370a505230b004da77b2f22f9ea862a5a39fcbc04576cc2.exe	66
PID 4888 wrote to memory of 3704	4888	f716931b4b144dedf370a505230b004da77b2f22f9ea862a5a39fcbc04576cc2.exe	66
PID 3704 wrote to memory of 1296	3704	WScript.exe	67
PID 3704 wrote to memory of 1296	3704	WScript.exe	67
PID 3704 wrote to memory of 1296	3704	WScript.exe	67
PID 1296 wrote to memory of 4588	1296	cmd.exe	69
PID 1296 wrote to memory of 4588	1296	cmd.exe	69
PID 4588 wrote to memory of 1904	4588	DllCommonsvc.exe	125
PID 4588 wrote to memory of 1904	4588	DllCommonsvc.exe	125
PID 4588 wrote to memory of 2016	4588	DllCommonsvc.exe	164
PID 4588 wrote to memory of 2016	4588	DllCommonsvc.exe	164
PID 4588 wrote to memory of 3796	4588	DllCommonsvc.exe	126
PID 4588 wrote to memory of 3796	4588	DllCommonsvc.exe	126
PID 4588 wrote to memory of 2828	4588	DllCommonsvc.exe	127
PID 4588 wrote to memory of 2828	4588	DllCommonsvc.exe	127
PID 4588 wrote to memory of 3916	4588	DllCommonsvc.exe	129
PID 4588 wrote to memory of 3916	4588	DllCommonsvc.exe	129
PID 4588 wrote to memory of 1500	4588	DllCommonsvc.exe	132
PID 4588 wrote to memory of 1500	4588	DllCommonsvc.exe	132
PID 4588 wrote to memory of 4660	4588	DllCommonsvc.exe	133
PID 4588 wrote to memory of 4660	4588	DllCommonsvc.exe	133
PID 4588 wrote to memory of 4956	4588	DllCommonsvc.exe	134
PID 4588 wrote to memory of 4956	4588	DllCommonsvc.exe	134
PID 4588 wrote to memory of 3456	4588	DllCommonsvc.exe	137
PID 4588 wrote to memory of 3456	4588	DllCommonsvc.exe	137
PID 4588 wrote to memory of 1424	4588	DllCommonsvc.exe	138
PID 4588 wrote to memory of 1424	4588	DllCommonsvc.exe	138
PID 4588 wrote to memory of 3468	4588	DllCommonsvc.exe	159
PID 4588 wrote to memory of 3468	4588	DllCommonsvc.exe	159
PID 4588 wrote to memory of 4092	4588	DllCommonsvc.exe	139
PID 4588 wrote to memory of 4092	4588	DllCommonsvc.exe	139
PID 4588 wrote to memory of 4992	4588	DllCommonsvc.exe	140
PID 4588 wrote to memory of 4992	4588	DllCommonsvc.exe	140
PID 4588 wrote to memory of 4280	4588	DllCommonsvc.exe	156
PID 4588 wrote to memory of 4280	4588	DllCommonsvc.exe	156
PID 4588 wrote to memory of 4532	4588	DllCommonsvc.exe	142
PID 4588 wrote to memory of 4532	4588	DllCommonsvc.exe	142
PID 4588 wrote to memory of 5028	4588	DllCommonsvc.exe	143
PID 4588 wrote to memory of 5028	4588	DllCommonsvc.exe	143
PID 4588 wrote to memory of 4932	4588	DllCommonsvc.exe	144
PID 4588 wrote to memory of 4932	4588	DllCommonsvc.exe	144
PID 4588 wrote to memory of 4492	4588	DllCommonsvc.exe	147
PID 4588 wrote to memory of 4492	4588	DllCommonsvc.exe	147
PID 4588 wrote to memory of 4012	4588	DllCommonsvc.exe	148
PID 4588 wrote to memory of 4012	4588	DllCommonsvc.exe	148
PID 4588 wrote to memory of 1712	4588	DllCommonsvc.exe	154
PID 4588 wrote to memory of 1712	4588	DllCommonsvc.exe	154
PID 1712 wrote to memory of 468	1712	cmd.exe	165
PID 1712 wrote to memory of 468	1712	cmd.exe	165
PID 1712 wrote to memory of 5572	1712	cmd.exe	167
PID 1712 wrote to memory of 5572	1712	cmd.exe	167
PID 5572 wrote to memory of 4880	5572	fontdrvhost.exe	168
PID 5572 wrote to memory of 4880	5572	fontdrvhost.exe	168
PID 4880 wrote to memory of 5176	4880	cmd.exe	170
PID 4880 wrote to memory of 5176	4880	cmd.exe	170
PID 4880 wrote to memory of 5280	4880	cmd.exe	171
PID 4880 wrote to memory of 5280	4880	cmd.exe	171
PID 5280 wrote to memory of 3324	5280	fontdrvhost.exe	172
PID 5280 wrote to memory of 3324	5280	fontdrvhost.exe	172
PID 3324 wrote to memory of 6116	3324	cmd.exe	174
PID 3324 wrote to memory of 6116	3324	cmd.exe	174
PID 3324 wrote to memory of 5312	3324	cmd.exe	175
PID 3324 wrote to memory of 5312	3324	cmd.exe	175

C:\Users\Admin\AppData\Local\Temp\f716931b4b144dedf370a505230b004da77b2f22f9ea862a5a39fcbc04576cc2.exe
"C:\Users\Admin\AppData\Local\Temp\f716931b4b144dedf370a505230b004da77b2f22f9ea862a5a39fcbc04576cc2.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Videos\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QuRhIyamyW.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:468
      - C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe
        
        "C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5176
        
        C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe
        
        "C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:6116
        
        C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe
        
        "C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat"
        11⤵
        
        PID:5132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:5864
        
        C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe
        
        "C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat"
        13⤵
        
        PID:6008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:6096
        
        C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe
        
        "C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat"
        15⤵
        
        PID:5736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:5148
        
        C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe
        
        "C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
        17⤵
        
        PID:5732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4692
        
        C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe
        
        "C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
        19⤵
        
        PID:5768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2016
        
        C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe
        
        "C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"
        21⤵
        
        PID:4624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:5868
        
        C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe
        
        "C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3jGxsc69Nm.bat"
        23⤵
        
        PID:5440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4712
        
        C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe
        
        "C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\crRU6Ya2tl.bat"
        25⤵
        
        PID:4736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3832
        
        C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe
        
        "C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe"
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat"
        27⤵
        
        PID:4612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:3792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\My Videos\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\My Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:96

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Music\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Music\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Music\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
586a73c15bade3e6431a1a2f2d651dfd

SHA1
ad50e47ae724fc0a81b7f1f1843ad5f9ea63c721

SHA256
b084fed0d2175cb1017a6c39a198777ed1555d147767ea3c2265a7aa35895fc6

SHA512
6b2eeb1ff6804af2f689e91c214bea585812849b54b943ff6e0ce846ca9f90bd264ecbdac5dac613c773cf4c453168832564295014999e9ac2560b2afd3d3f18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cbd2744bcde517463c9b9a8ee8b0a9d0

SHA1
55268184f39ed650553c01228e4ba2d1d9762e6a

SHA256
1766d0cff603cc2b0323a084b34b6a3219f49eb60c6c1d2da059602bd3b34d6e

SHA512
56e92d077122949830ea2099ad824fffed041f4463f885f33484946407c7154958ed997fed40fe8b131fb92506dbcf77a9437f8005a465c522f3d8664740f14e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b104dd017cbec178ef688a9823d31303

SHA1
12d3cae2ddb7d9d7633308971e68a0ba23dc407c

SHA256
6b5c0805762b9ae3343b8245434a893d4686110ac712989637e41c6c5d87729f

SHA512
423f29bb3a464768b31408bcae9ad37497ef79d1604e4a65c01aa5a237a95cbf2922fd5ae93c2e00a735d47a55f650dc4a34c2c60bc0d709c18ac4bd9b5563e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b104dd017cbec178ef688a9823d31303

SHA1
12d3cae2ddb7d9d7633308971e68a0ba23dc407c

SHA256
6b5c0805762b9ae3343b8245434a893d4686110ac712989637e41c6c5d87729f

SHA512
423f29bb3a464768b31408bcae9ad37497ef79d1604e4a65c01aa5a237a95cbf2922fd5ae93c2e00a735d47a55f650dc4a34c2c60bc0d709c18ac4bd9b5563e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aeb7313b8097ee2e5d59f8a052b7bbda

SHA1
99e33ac4156bec4526378c9302a187bad7808238

SHA256
1c691ff797169831c9e82b9f2d313cf3081b7575482611faf14a5246583db16b

SHA512
73fd5a6e00f74ac00e196d520feaf3646ef103292063d0b6a4c42dd85f0dec5ef1b97a311e52c2fa5638ec7873ea40818c6d0046814bb978e428077b3c9c0339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a8d528701c3517c6f8b0c46425b72f68

SHA1
6789ecb3df333880f50d71bd4651e9a5039deddf

SHA256
1e36f4276e7ac679ed05da3fb6db6c4a030d30c40e5b4f142c305b6d625ba172

SHA512
d7be29e20bcc872b376e5c8e5d22ddbd6c95b734a3ce55041bfe258a80396a6c489d37eb75bfcd2bf2f337299d012d3a3cca560a66e8ec9c391cc51e4e74ac43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a8d528701c3517c6f8b0c46425b72f68

SHA1
6789ecb3df333880f50d71bd4651e9a5039deddf

SHA256
1e36f4276e7ac679ed05da3fb6db6c4a030d30c40e5b4f142c305b6d625ba172

SHA512
d7be29e20bcc872b376e5c8e5d22ddbd6c95b734a3ce55041bfe258a80396a6c489d37eb75bfcd2bf2f337299d012d3a3cca560a66e8ec9c391cc51e4e74ac43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
427c529c029294f6e51697d6a0c20fec

SHA1
a2c8a17cec51e60011fc24c22666d63de5eb8ed8

SHA256
0942613937aeb75c2b2930b8b2438980cfe1045715c2fe4778b09e54a973c8c6

SHA512
23a87599d97484a57635c83710bdf027d868d9b25d611c31ff21f24ade71c42a61dbfd30325ec359f6aec60744b4ca878e2ad40ce253897065fa3dd9f041853e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
da62e31ef9c99c1820296acc60aa1937

SHA1
4d88851570ae080731e9c8cd55d81e70c5c018f8

SHA256
af76195242b7f7340450d85ab7835601905553a10ddf088d59381829c6bee194

SHA512
f5166beb5390202f34f24c380d11da67334aeaac3c3d6c0edd838e5b445e2a0ed6d40f16f6b11b740a9b30870f1fc87aedaa71b8dc2ffc31dc5c6f739c2103bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
280cf58000723aab5bd8583ffff35cff

SHA1
07e63bcd7a6ee2c11aa714400b8f89c17761c30f

SHA256
f8cad4f71280f710b2b7a739b1e3aa82d2a579beaf33d0a6a4e3b3ebf3f2c822

SHA512
334a4b0b7570470a0f161f77fca96944368e85fafd889f55bd7dd0b37e44f1fe29d0d5e635e0b7a13065c042af6da9231e4cfc3c9af490209e1d7e78b8fae409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
280cf58000723aab5bd8583ffff35cff

SHA1
07e63bcd7a6ee2c11aa714400b8f89c17761c30f

SHA256
f8cad4f71280f710b2b7a739b1e3aa82d2a579beaf33d0a6a4e3b3ebf3f2c822

SHA512
334a4b0b7570470a0f161f77fca96944368e85fafd889f55bd7dd0b37e44f1fe29d0d5e635e0b7a13065c042af6da9231e4cfc3c9af490209e1d7e78b8fae409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
280cf58000723aab5bd8583ffff35cff

SHA1
07e63bcd7a6ee2c11aa714400b8f89c17761c30f

SHA256
f8cad4f71280f710b2b7a739b1e3aa82d2a579beaf33d0a6a4e3b3ebf3f2c822

SHA512
334a4b0b7570470a0f161f77fca96944368e85fafd889f55bd7dd0b37e44f1fe29d0d5e635e0b7a13065c042af6da9231e4cfc3c9af490209e1d7e78b8fae409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
280cf58000723aab5bd8583ffff35cff

SHA1
07e63bcd7a6ee2c11aa714400b8f89c17761c30f

SHA256
f8cad4f71280f710b2b7a739b1e3aa82d2a579beaf33d0a6a4e3b3ebf3f2c822

SHA512
334a4b0b7570470a0f161f77fca96944368e85fafd889f55bd7dd0b37e44f1fe29d0d5e635e0b7a13065c042af6da9231e4cfc3c9af490209e1d7e78b8fae409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f143b46a4c031d30035e8383fa53341f

SHA1
1615f9dfd3dc59ac5aa96fbc116ae568073c226a

SHA256
0f1ea1211204b3ec994de94cdf39f9a1dd8ce3a660dc656cc38da8a72b1fd8a6

SHA512
4bb4438defb81cc94b1e0948dd5550d2092ed505c48ca866699779bd5e44e6e750446fed5526f41910faac2aae082cad6dd60a61bb04af696911fd829c4c9253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f143b46a4c031d30035e8383fa53341f

SHA1
1615f9dfd3dc59ac5aa96fbc116ae568073c226a

SHA256
0f1ea1211204b3ec994de94cdf39f9a1dd8ce3a660dc656cc38da8a72b1fd8a6

SHA512
4bb4438defb81cc94b1e0948dd5550d2092ed505c48ca866699779bd5e44e6e750446fed5526f41910faac2aae082cad6dd60a61bb04af696911fd829c4c9253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3cc10b5376b60e2a875bd601a54933f5

SHA1
a8036d6cc38e5d11e4a38e4f3e555fa43ed7d051

SHA256
dc39dd328cc26b186ce40ab1ebea32bac5b810e50a4190c29122621e4d626642

SHA512
c266429fd02d02ce14900a87b516c1d9a552f211ebf2ff3b667d316e7a3c4ea434adb0a0dc4e82ab4f4a276b4f4879b3e9730066feba7a665b4b4af7a4a63e13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1806ac9f610bda0834854590cb57cf91

SHA1
a0b741946d77d6164108c3b722dab932aa34a27c

SHA256
e8c443d4ab583e2ef43c6dc15fd8fa1621508bef2d64cec5aeaa6ac77511c8a5

SHA512
17ce8ede9e48f76c8ab5dbbd9bb202cccb8b6f8e4a24cc251745388075213e94356780c755494f3f498c4090805812c80622cfec4926660c7f611144564f15b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
668B

MD5
01edf368febc1162d10bd63be76a4c31

SHA1
01dbe2f4ac5f712658e52fc36a5ac286e4c1c76d

SHA256
4fdf7be028a7ea34ea7cbecbd807f97d59fa93b86ffcf91a2bca61519982b8bc

SHA512
e2d7ab4845901cf505aae8d31919d86ea99242ff876c4a86931b301c06663a14953b3e8bfff9130e2a18bc2fe63351b07119150b0026a37ec93478b6c60031b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3jGxsc69Nm.bat

Filesize
225B

MD5
be407a45b735bef160bd5517d06a3d3f

SHA1
02fba48f971965002ab3d7f855b7458d00d46ede

SHA256
1eb3bf8cbe7099a18dd6e438568579b77f3dc513f4e35c1e9e5cced5ade00f30

SHA512
0760a1399f0b6dcb9ee57fb1f5395ab208619b1b24f64358eefc4e8ae8be12121bd5dc719e2a43932801e9b9169f582bf769bb2f21e173248c70766a83e09b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

Filesize
225B

MD5
8b299155eaecb350b2219387e5598fff

SHA1
1debdaadf42cb5fea708ee31228c5d7e37eb9c96

SHA256
3bcd52bdb694d979a0bdb80bd130798e5dbbaa28a0da8e8eccda1f4c8aab081a

SHA512
02df7c9f7ae8d7ccdf557c4f726cab62fc8ae8cde7a22a4b7f8c7ba88ec9c20a87e9a24627c8468831dcc651857988d7daddd6ade65a941c6418984e0ac2c14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

Filesize
225B

MD5
8cfbf26365e68180574b269d694dda31

SHA1
a1b76de996a152f5eddfe77e7226de94e96bda18

SHA256
bd5c5dfd091fa71fb88acbe2183cbe20893e50df511661b1394576282f2d5fdd

SHA512
3efd8e1981da9e6bb189f3b61e878e5ba7c619824a68f19ba180df34f43da611f7498c1cf30d11596ad2a43e37eb67fd23eda2188cf94df0f10ab175068fd31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat

Filesize
225B

MD5
aa7c4ca2f08187710043edc80bcb3798

SHA1
053b0aaad569a5bc67d85cf98c73a232957b71f0

SHA256
9b285366b1f187b648cb4edf19f7c64fc5b535151fbd0311506cef55f75c828e

SHA512
8a58377976ad8d5a7e7c0924fa96ba004e86b4007bfeecc7dddb9b5b4e98593a8eaa481c6e60e719ecb0868982b329b15773bace153e6f5fb7db418459fceac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat

Filesize
225B

MD5
d8ccb3bf2d77be21a5c916c581e3c57f

SHA1
2c1114fbfb77fe709da063f2f3947f0345dfd610

SHA256
b3ba82f2e3e7104395b8d70145e357bada1bc16df397b1b5f21c3ac88b44e2e7

SHA512
f5d439ce9004f3ca10a7b80656577540196c1ab5e56c9f0ffd8dfc08c6385e661def1130426ca4194d18bf7744f50174b0b718fac182c6e14131b51689130a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuRhIyamyW.bat

Filesize
225B

MD5
2911dc2c7c774eafa50acd7cc6efec0e

SHA1
f0d342aba44092379180ec2632a774253a862d8c

SHA256
277b66320840cad46376d88cb4c135c7db25004f2bb122256d536c6e499714e7

SHA512
615d7030fda6a460766471f7a67600fe5b5aba13c5947c6d27970f55b69d963d7194c9b54f261e530fe5bbc2b9c3da6199db212e29aeb71107b57524117459a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat

Filesize
225B

MD5
3f7c38f572e35d7d911731075875e008

SHA1
416f691b0a026bdf320e08d02b3d893260899d86

SHA256
cdb1dd8a8be2c89c640b2f268c85ad3b165fd9b739d42974b878917db3a0c5ac

SHA512
4c02cf3c0091ee94a25a4ab7ee39c7a788d549d6e6cb90280aa3f205a0158a060779192c841add26cfd022f93dd044fb18983a8d51ef2dcac73debfa001dbad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\crRU6Ya2tl.bat

Filesize
225B

MD5
51e517b8172a21d3a62a160d1ec372af

SHA1
339b9aa2d116dd007366cc5d9bfc843c3f66405c

SHA256
6adb0ea1e56f9d218bf32964fb65e2d839f7e032c88e13a44f8081ac471245bb

SHA512
aeafa79393ef16e02a3e8d208c109f5e71fe0bc0f695b02a837876a7e039994841e42108fd6930bab99c7824ab26eabb94427960430813ce34edbf505b0ab36f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat

Filesize
225B

MD5
06427336df2c2649101e9dfc5c642466

SHA1
c2c2839863bd7e399de4c8451e48aa1e61f13a96

SHA256
2b4d1b8692146b4fa0b1df3ac8b8260fc01586b75d8a481e801cb83e7c6f2510

SHA512
d21b416c2dada30dbf20c3d9a2de095218c06afd4a4ee489730a5287513914c0f2c72a086c6e5bd1862dff9d2ea6f65812229d1409dbd090e4ad0a1526c304d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat

Filesize
225B

MD5
dea2bf37434329a65da9782abb26dcdb

SHA1
bcd021d81f5ab85414b8ceacb82488b02eb92539

SHA256
0e21d620933280186bdc861adb05557423e594af341e61c66ca9af9031e907bc

SHA512
462efee098a27dcdc33f9968521a046a1571df4dc8b2dbf5a215b9dbbd2a9d9332442f4a19af3f421a253cc140f6757bbe063f732477b6f16fa91b703a1e437d

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat

Filesize
225B

MD5
fa7d5fb79223e09acee89f43eb501af4

SHA1
7f4f6835e5091e25056a235ece202e090de6f026

SHA256
7f05cd58d87f95ae4a3044da600b9509dfe10cbe4593c6793283404e12535641

SHA512
cb247293b5d378425a263ee34aef1edfa793bd40e967a9bc40fb65e50b1002c69a088f5984417a59d916840c5250397c5d99b6250ce1fc10074e9c52fa585e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat

Filesize
225B

MD5
305b154b87b78283442a063df463b699

SHA1
2e861e5d8c6b9bb39f9ac2cfbcb98fabcaf86ca9

SHA256
5493f2aefe9cad99ce047f6d43310db5fab1b69878caad22fde849b9d2443a75

SHA512
c6685e22c29c2f089ab048acdc6d0180f797580e45b7e6cbe43baf6e03917bee2632da0f3f20d993983568d074dde2734a9b6450367aece5a1417c89898d602a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1808-1007-0x00000000029C0000-0x00000000029D2000-memory.dmp

Filesize
72KB

Download
memory/2016-377-0x000002482C650000-0x000002482C672000-memory.dmp

Filesize
136KB

Download
memory/2808-1001-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/3704-183-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3704-182-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4424-995-0x00000000008E0000-0x00000000008F2000-memory.dmp

Filesize
72KB

Download
memory/4532-388-0x0000023B52E60000-0x0000023B52ED6000-memory.dmp

Filesize
472KB

Download
memory/4588-285-0x0000000002230000-0x000000000223C000-memory.dmp

Filesize
48KB

Download
memory/4588-286-0x0000000002290000-0x000000000229C000-memory.dmp

Filesize
48KB

Download
memory/4588-287-0x00000000022F0000-0x00000000022FC000-memory.dmp

Filesize
48KB

Download
memory/4588-283-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/4588-284-0x0000000002220000-0x0000000002232000-memory.dmp

Filesize
72KB

Download
memory/4752-1018-0x00000000015F0000-0x0000000001602000-memory.dmp

Filesize
72KB

Download
memory/4888-160-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-143-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-168-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-167-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-169-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-166-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-165-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-164-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-117-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-163-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-171-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-162-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-161-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-172-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-159-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-158-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-156-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-157-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-155-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-154-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-153-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-152-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-151-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-149-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-150-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-148-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-147-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-146-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-145-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-144-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-173-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-170-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-142-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-174-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-141-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-140-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-175-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-139-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-138-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-137-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-136-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-176-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-135-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-134-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-133-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-132-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-131-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-130-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-129-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-128-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-127-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-177-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-126-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-125-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-123-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-122-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-120-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-178-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-119-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-179-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-180-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4888-118-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4988-989-0x00000000013A0000-0x00000000013B2000-memory.dmp

Filesize
72KB

Download
memory/5256-978-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/5572-764-0x0000000000860000-0x0000000000872000-memory.dmp

Filesize
72KB

Download