dcrat | e0ddaba47cd90a409d28526d812f75f42595fa1d9f6229de8dff906746266009

Analysis

max time kernel
148s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0ddaba47cd90a409d28526d812f75f42595fa1d9f6229de8dff906746266009.exe
Size

1.3MB
MD5

b8b65b25dc0d71f06ef1c9bd430a2f42
SHA1

304a93aec19ca28e3f24e6fad5f6544b87ef0175
SHA256

e0ddaba47cd90a409d28526d812f75f42595fa1d9f6229de8dff906746266009
SHA512

d855191f9b1a307fe0d85fd1f89b9a4e25a5967bb32812a5c797cf520b4a13024ba33f1bf3b320dfbe7406f028c2a743484781b8e325c32050845274accd7dad
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	4948	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	4948	schtasks.exe	71

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001abdb-284.dat	dcrat
behavioral1/files/0x000900000001abdb-285.dat	dcrat
behavioral1/memory/4760-286-0x0000000000D80000-0x0000000000E90000-memory.dmp	dcrat
behavioral1/files/0x000600000001abf9-758.dat	dcrat
behavioral1/files/0x000600000001abf9-760.dat	dcrat
behavioral1/files/0x000600000001abf9-1084.dat	dcrat
behavioral1/files/0x000600000001abf9-1091.dat	dcrat
behavioral1/files/0x000600000001abf9-1097.dat	dcrat
behavioral1/files/0x000600000001abf9-1102.dat	dcrat
behavioral1/files/0x000600000001abf9-1108.dat	dcrat
behavioral1/files/0x000600000001abf9-1114.dat	dcrat
behavioral1/files/0x000600000001abf9-1119.dat	dcrat
behavioral1/files/0x000600000001abf9-1125.dat	dcrat
behavioral1/files/0x000600000001abf9-1130.dat	dcrat

Executes dropped EXE 11 IoCs

pid	Process
4760	DllCommonsvc.exe
4996	spoolsv.exe
4912	spoolsv.exe
1888	spoolsv.exe
3120	spoolsv.exe
5272	spoolsv.exe
3548	spoolsv.exe
5528	spoolsv.exe
2112	spoolsv.exe
5752	spoolsv.exe
3224	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Policies\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Policies\a76d7bf15d8370	DllCommonsvc.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\IME\it-IT\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Speech\Common\fr-FR\System.exe	DllCommonsvc.exe
File created	C:\Windows\assembly\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\assembly\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\PrintDialog\pris\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\taskhostw.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Migration\WTR\taskhostw.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Windows\IME\it-IT\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\PrintDialog\pris\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4400	schtasks.exe
452	schtasks.exe
3132	schtasks.exe
4196	schtasks.exe
2304	schtasks.exe
4248	schtasks.exe
3180	schtasks.exe
2724	schtasks.exe
4780	schtasks.exe
688	schtasks.exe
3456	schtasks.exe
4540	schtasks.exe
548	schtasks.exe
1184	schtasks.exe
208	schtasks.exe
3124	schtasks.exe
3440	schtasks.exe
2884	schtasks.exe
4044	schtasks.exe
1876	schtasks.exe
2064	schtasks.exe
240	schtasks.exe
3488	schtasks.exe
2712	schtasks.exe
536	schtasks.exe
2336	schtasks.exe
2704	schtasks.exe
2236	schtasks.exe
2508	schtasks.exe
1308	schtasks.exe
3404	schtasks.exe
340	schtasks.exe
1784	schtasks.exe
4860	schtasks.exe
2112	schtasks.exe
380	schtasks.exe
336	schtasks.exe
2700	schtasks.exe
4224	schtasks.exe
840	schtasks.exe
4892	schtasks.exe
1076	schtasks.exe
8	schtasks.exe
3684	schtasks.exe
3480	schtasks.exe
4896	schtasks.exe
932	schtasks.exe
4124	schtasks.exe
1448	schtasks.exe
1788	schtasks.exe
2556	schtasks.exe
3164	schtasks.exe
1640	schtasks.exe
1180	schtasks.exe
2092	schtasks.exe
4984	schtasks.exe
672	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	e0ddaba47cd90a409d28526d812f75f42595fa1d9f6229de8dff906746266009.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4760	DllCommonsvc.exe
4760	DllCommonsvc.exe
4760	DllCommonsvc.exe
4760	DllCommonsvc.exe
4760	DllCommonsvc.exe
4760	DllCommonsvc.exe
4760	DllCommonsvc.exe
4760	DllCommonsvc.exe
4760	DllCommonsvc.exe
4760	DllCommonsvc.exe
4760	DllCommonsvc.exe
4760	DllCommonsvc.exe
4760	DllCommonsvc.exe
4760	DllCommonsvc.exe
4112	powershell.exe
4112	powershell.exe
3712	powershell.exe
3712	powershell.exe
1720	powershell.exe
1720	powershell.exe
3812	powershell.exe
3812	powershell.exe
1380	powershell.exe
1380	powershell.exe
2916	powershell.exe
2916	powershell.exe
3752	powershell.exe
3752	powershell.exe
4072	powershell.exe
4072	powershell.exe
784	powershell.exe
784	powershell.exe
4332	powershell.exe
4332	powershell.exe
4316	powershell.exe
4316	powershell.exe
4408	powershell.exe
4408	powershell.exe
4804	powershell.exe
4804	powershell.exe
4764	powershell.exe
4764	powershell.exe
4004	powershell.exe
4004	powershell.exe
1872	powershell.exe
1872	powershell.exe
2712	powershell.exe
2712	powershell.exe
5096	powershell.exe
5096	powershell.exe
3180	powershell.exe
3180	powershell.exe
1652	powershell.exe
1652	powershell.exe
4112	powershell.exe
4112	powershell.exe
3712	powershell.exe
3712	powershell.exe
1720	powershell.exe
1720	powershell.exe
3812	powershell.exe
3812	powershell.exe
784	powershell.exe
1380	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	DllCommonsvc.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeIncreaseQuotaPrivilege	3812	powershell.exe
Token: SeSecurityPrivilege	3812	powershell.exe
Token: SeTakeOwnershipPrivilege	3812	powershell.exe
Token: SeLoadDriverPrivilege	3812	powershell.exe
Token: SeSystemProfilePrivilege	3812	powershell.exe
Token: SeSystemtimePrivilege	3812	powershell.exe
Token: SeProfSingleProcessPrivilege	3812	powershell.exe
Token: SeIncBasePriorityPrivilege	3812	powershell.exe
Token: SeCreatePagefilePrivilege	3812	powershell.exe
Token: SeBackupPrivilege	3812	powershell.exe
Token: SeRestorePrivilege	3812	powershell.exe
Token: SeShutdownPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeSystemEnvironmentPrivilege	3812	powershell.exe
Token: SeRemoteShutdownPrivilege	3812	powershell.exe
Token: SeUndockPrivilege	3812	powershell.exe
Token: SeManageVolumePrivilege	3812	powershell.exe
Token: 33	3812	powershell.exe
Token: 34	3812	powershell.exe
Token: 35	3812	powershell.exe
Token: 36	3812	powershell.exe
Token: SeIncreaseQuotaPrivilege	4112	powershell.exe
Token: SeSecurityPrivilege	4112	powershell.exe
Token: SeTakeOwnershipPrivilege	4112	powershell.exe
Token: SeLoadDriverPrivilege	4112	powershell.exe
Token: SeSystemProfilePrivilege	4112	powershell.exe
Token: SeSystemtimePrivilege	4112	powershell.exe
Token: SeProfSingleProcessPrivilege	4112	powershell.exe
Token: SeIncBasePriorityPrivilege	4112	powershell.exe
Token: SeCreatePagefilePrivilege	4112	powershell.exe
Token: SeBackupPrivilege	4112	powershell.exe
Token: SeRestorePrivilege	4112	powershell.exe
Token: SeShutdownPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeSystemEnvironmentPrivilege	4112	powershell.exe
Token: SeRemoteShutdownPrivilege	4112	powershell.exe
Token: SeUndockPrivilege	4112	powershell.exe
Token: SeManageVolumePrivilege	4112	powershell.exe
Token: 33	4112	powershell.exe
Token: 34	4112	powershell.exe
Token: 35	4112	powershell.exe
Token: 36	4112	powershell.exe
Token: SeIncreaseQuotaPrivilege	3712	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1872	1896	e0ddaba47cd90a409d28526d812f75f42595fa1d9f6229de8dff906746266009.exe	67
PID 1896 wrote to memory of 1872	1896	e0ddaba47cd90a409d28526d812f75f42595fa1d9f6229de8dff906746266009.exe	67
PID 1896 wrote to memory of 1872	1896	e0ddaba47cd90a409d28526d812f75f42595fa1d9f6229de8dff906746266009.exe	67
PID 1872 wrote to memory of 3844	1872	WScript.exe	68
PID 1872 wrote to memory of 3844	1872	WScript.exe	68
PID 1872 wrote to memory of 3844	1872	WScript.exe	68
PID 3844 wrote to memory of 4760	3844	cmd.exe	70
PID 3844 wrote to memory of 4760	3844	cmd.exe	70
PID 4760 wrote to memory of 4112	4760	DllCommonsvc.exe	129
PID 4760 wrote to memory of 4112	4760	DllCommonsvc.exe	129
PID 4760 wrote to memory of 1720	4760	DllCommonsvc.exe	130
PID 4760 wrote to memory of 1720	4760	DllCommonsvc.exe	130
PID 4760 wrote to memory of 3712	4760	DllCommonsvc.exe	134
PID 4760 wrote to memory of 3712	4760	DllCommonsvc.exe	134
PID 4760 wrote to memory of 3812	4760	DllCommonsvc.exe	133
PID 4760 wrote to memory of 3812	4760	DllCommonsvc.exe	133
PID 4760 wrote to memory of 1380	4760	DllCommonsvc.exe	135
PID 4760 wrote to memory of 1380	4760	DllCommonsvc.exe	135
PID 4760 wrote to memory of 2916	4760	DllCommonsvc.exe	137
PID 4760 wrote to memory of 2916	4760	DllCommonsvc.exe	137
PID 4760 wrote to memory of 3752	4760	DllCommonsvc.exe	140
PID 4760 wrote to memory of 3752	4760	DllCommonsvc.exe	140
PID 4760 wrote to memory of 4072	4760	DllCommonsvc.exe	138
PID 4760 wrote to memory of 4072	4760	DllCommonsvc.exe	138
PID 4760 wrote to memory of 784	4760	DllCommonsvc.exe	143
PID 4760 wrote to memory of 784	4760	DllCommonsvc.exe	143
PID 4760 wrote to memory of 4332	4760	DllCommonsvc.exe	144
PID 4760 wrote to memory of 4332	4760	DllCommonsvc.exe	144
PID 4760 wrote to memory of 4316	4760	DllCommonsvc.exe	147
PID 4760 wrote to memory of 4316	4760	DllCommonsvc.exe	147
PID 4760 wrote to memory of 4408	4760	DllCommonsvc.exe	148
PID 4760 wrote to memory of 4408	4760	DllCommonsvc.exe	148
PID 4760 wrote to memory of 4804	4760	DllCommonsvc.exe	149
PID 4760 wrote to memory of 4804	4760	DllCommonsvc.exe	149
PID 4760 wrote to memory of 4764	4760	DllCommonsvc.exe	159
PID 4760 wrote to memory of 4764	4760	DllCommonsvc.exe	159
PID 4760 wrote to memory of 4004	4760	DllCommonsvc.exe	153
PID 4760 wrote to memory of 4004	4760	DllCommonsvc.exe	153
PID 4760 wrote to memory of 1872	4760	DllCommonsvc.exe	154
PID 4760 wrote to memory of 1872	4760	DllCommonsvc.exe	154
PID 4760 wrote to memory of 5096	4760	DllCommonsvc.exe	155
PID 4760 wrote to memory of 5096	4760	DllCommonsvc.exe	155
PID 4760 wrote to memory of 2712	4760	DllCommonsvc.exe	168
PID 4760 wrote to memory of 2712	4760	DllCommonsvc.exe	168
PID 4760 wrote to memory of 3180	4760	DllCommonsvc.exe	162
PID 4760 wrote to memory of 3180	4760	DllCommonsvc.exe	162
PID 4760 wrote to memory of 1652	4760	DllCommonsvc.exe	163
PID 4760 wrote to memory of 1652	4760	DllCommonsvc.exe	163
PID 4760 wrote to memory of 932	4760	DllCommonsvc.exe	169
PID 4760 wrote to memory of 932	4760	DllCommonsvc.exe	169
PID 932 wrote to memory of 3400	932	cmd.exe	171
PID 932 wrote to memory of 3400	932	cmd.exe	171
PID 932 wrote to memory of 4996	932	cmd.exe	173
PID 932 wrote to memory of 4996	932	cmd.exe	173
PID 4996 wrote to memory of 6116	4996	spoolsv.exe	174
PID 4996 wrote to memory of 6116	4996	spoolsv.exe	174
PID 6116 wrote to memory of 1412	6116	cmd.exe	176
PID 6116 wrote to memory of 1412	6116	cmd.exe	176
PID 6116 wrote to memory of 4912	6116	cmd.exe	177
PID 6116 wrote to memory of 4912	6116	cmd.exe	177
PID 4912 wrote to memory of 5816	4912	spoolsv.exe	178
PID 4912 wrote to memory of 5816	4912	spoolsv.exe	178
PID 5816 wrote to memory of 4980	5816	cmd.exe	180
PID 5816 wrote to memory of 4980	5816	cmd.exe	180

C:\Users\Admin\AppData\Local\Temp\e0ddaba47cd90a409d28526d812f75f42595fa1d9f6229de8dff906746266009.exe
"C:\Users\Admin\AppData\Local\Temp\e0ddaba47cd90a409d28526d812f75f42595fa1d9f6229de8dff906746266009.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3844
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\it-IT\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\USOPrivate\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\pris\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Policies\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9iMPvVJ4No.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:932
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3400
      - C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:6116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1412
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4980
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XErLL4imMU.bat"
        11⤵
        
        PID:728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:5736
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"
        13⤵
        
        PID:2580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2724
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xdvgpfy6bM.bat"
        15⤵
        
        PID:4860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3748
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat"
        17⤵
        
        PID:4932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:5588
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat"
        19⤵
        
        PID:3432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4920
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat"
        21⤵
        
        PID:4288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:6136
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"
        23⤵
        
        PID:6112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:60
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        "C:\Recovery\WindowsRE\spoolsv.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kwOVarqRTQ.bat"
        25⤵
        
        PID:840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\IME\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\assembly\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\USOPrivate\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\USOPrivate\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\USOPrivate\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\odt\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Music\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Music\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteApps\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteApps\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\pris\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PrintDialog\pris\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\PrintDialog\pris\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\providercommon\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Policies\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Policies\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Policies\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c7cf4fec5e3212cd753869fe1e7e19a0

SHA1
2af6181fa7c37ecbfceeff4afe4156be58d2edd5

SHA256
50e13c2260e1f29595ed85224f861127dd6d51d57558b8fda5b59ee3295274f4

SHA512
b2d2e4b7d7de43c12408a55d3081c97ac811dc502f2de3f218de2355c11d809d1e83339c64bee6ed77df1d00910bf63120127fff312aab7162648844a40b0ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
805de740af902db7f1aead5cd173d953

SHA1
b5914e5b55892e67b018afc996cccee09384411e

SHA256
6c8fafd5e933280e2e0b9bcd73a46fc1dfa8193ba4683db50a8ac01e14588102

SHA512
f97a27b87a86ada57c66ad74df4247de01c121901490086b0dc9672cf3c188750aa33a35504ecbc5a2ec1985baa8309f827025b97129a03fbc768fd7745434be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
805de740af902db7f1aead5cd173d953

SHA1
b5914e5b55892e67b018afc996cccee09384411e

SHA256
6c8fafd5e933280e2e0b9bcd73a46fc1dfa8193ba4683db50a8ac01e14588102

SHA512
f97a27b87a86ada57c66ad74df4247de01c121901490086b0dc9672cf3c188750aa33a35504ecbc5a2ec1985baa8309f827025b97129a03fbc768fd7745434be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5fdb7f1fd2896a6f6034de50f32f7f12

SHA1
e0e590f7510b901b69ca2cfd01423435d202a84a

SHA256
797305a50fa43f452fbf7c1f7416c49a9eec721c69b4203d5919810a7848159a

SHA512
f8521d44561b9d2d5c3cb7e5cd10e3024b6d202718df57ef036af148dc3dea223b3a85d0ace4024acab4ea51eadd5265b846df452645932098435c4ffe59cc5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4a08d12062a99d7a43b57b2f46f2fe4a

SHA1
e99d5e9dbef1889347db3189db3ccb169832d4bd

SHA256
8f25b8ef029cf785dc1fc801ee4970b397c0def100c23fa44ee16dca2f0d65f1

SHA512
9bbb58d8f86a89466f1fc964dd886169b0f8e3d8b7431e0472f7dc3d39ad304e72480e4134e6b12ccd6392ea95891ae04b02175f2bda6ea06ccd88d988221f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
262e7ef3f77e2b176ed546eb3ba8d77e

SHA1
6aaabf0f63ecbc023d7094b923dbdeb7eafc597a

SHA256
f52b8541917bcfc10e4f3936f008aac912276fd8c018698f404e95f64dd6582e

SHA512
9c965eb68d5c252b5a559bd49f11e29774ffb03b0a7a9a0f0dcb2bf764b58f30080088eb00b72946bb904be2041b456aded8498580e24e7b2cc87eb8a2458178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
77ae098871e2258e64649bcd0666a104

SHA1
bfd861ec8307292048f785601d1f95fdc6f4d7eb

SHA256
15302a5df3180e3343e2377fd34dab830410e509e52e7ba7489ea7d120b08991

SHA512
527e040ed69d10f8eceb52323131b6bc2a19b2be990084cea6caff678d8f4e2177e31a2654dd7866430086ed2251b5a43eda4e99956b926757aaa30d42292811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fe61d7b5a7f327585d38833aee721fa8

SHA1
28e8c573729c915590343ffb0dacb15eeeee6f00

SHA256
1a1292ebd5fafc38449a0139129aed7d3effa898732f08926a29926cdd6ed184

SHA512
354b45f2d4105774d550d46e345de3d66cc30355c43499fbe79d8b0c8845e11a8bfb32514aeb683412efbe35f4ccb100ca4581f56c42eb6ae8e192b391decd1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bff9f4896ceab00fa5a1e102f1220026

SHA1
6aca0c2fe89738c6a08ffff05ba8416972b7d832

SHA256
028946194e22af3483c31755ab274e4258a3707803f4536b33e6d73b2ec52786

SHA512
8626d1557cd55ce03f197e312cc20521df94b04ba6a7420ad3cf49ef8ac0335a6c0f51e4cc457b802d45f00629425030e98259f5e58dab7c839307f0f8bd17e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bff9f4896ceab00fa5a1e102f1220026

SHA1
6aca0c2fe89738c6a08ffff05ba8416972b7d832

SHA256
028946194e22af3483c31755ab274e4258a3707803f4536b33e6d73b2ec52786

SHA512
8626d1557cd55ce03f197e312cc20521df94b04ba6a7420ad3cf49ef8ac0335a6c0f51e4cc457b802d45f00629425030e98259f5e58dab7c839307f0f8bd17e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fbbe115d899e0001fa2b3f2b6704ee5e

SHA1
31afe76cfcd10230d5ba874ee6502b3139a86038

SHA256
0daf3edb11b1ac88f40940a4953aa9dd78fc6463b3682816e39bbb2021955752

SHA512
a4ad503545923e3d302ac9d3da37ebb937c557f6129e7f7e07cab099465e8e6dfb6b3cf1d8184b219b20dd24f1275c123b33aecf8fdc31c9f016ed9965203549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fbbe115d899e0001fa2b3f2b6704ee5e

SHA1
31afe76cfcd10230d5ba874ee6502b3139a86038

SHA256
0daf3edb11b1ac88f40940a4953aa9dd78fc6463b3682816e39bbb2021955752

SHA512
a4ad503545923e3d302ac9d3da37ebb937c557f6129e7f7e07cab099465e8e6dfb6b3cf1d8184b219b20dd24f1275c123b33aecf8fdc31c9f016ed9965203549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fbbe115d899e0001fa2b3f2b6704ee5e

SHA1
31afe76cfcd10230d5ba874ee6502b3139a86038

SHA256
0daf3edb11b1ac88f40940a4953aa9dd78fc6463b3682816e39bbb2021955752

SHA512
a4ad503545923e3d302ac9d3da37ebb937c557f6129e7f7e07cab099465e8e6dfb6b3cf1d8184b219b20dd24f1275c123b33aecf8fdc31c9f016ed9965203549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fe61d7b5a7f327585d38833aee721fa8

SHA1
28e8c573729c915590343ffb0dacb15eeeee6f00

SHA256
1a1292ebd5fafc38449a0139129aed7d3effa898732f08926a29926cdd6ed184

SHA512
354b45f2d4105774d550d46e345de3d66cc30355c43499fbe79d8b0c8845e11a8bfb32514aeb683412efbe35f4ccb100ca4581f56c42eb6ae8e192b391decd1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1bc16c8acfb2502b4ff233a4f81426c2

SHA1
9bb257fbe97a0cc50eba7f24f29ee07dc6aa90f2

SHA256
a45fab8143f82a888a50f7df202ec76d4b800c8e7f8a83a421c42bdb3a5c316a

SHA512
2e545f9298e5a1fe7f6791f679be0c88464d9bff773e956821fba0eb597e8818ff8d32ed9ce4dd885599e4c3d39debe11007b18d053e8131b87660371e65fd7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2801ef3b5f0d82c411e81ef2f9313dda

SHA1
5fbde7d7ed90e881c289256c81768a22b9e3adbf

SHA256
3343d9e8b21ee8ddd3b197b593a336d37fa16e37f553c09cef30b0b06d503eac

SHA512
022116a2c4173dcccaba86a1a3b665151d8a6c96619f00ad6a8ef1a0f743f27ee0ed58ab6c072abdae7672ac7f8b5e6ace50db3bb1ed7405ae6c3ffe22485786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
74d631590338e45f5ae07d470a7c79fa

SHA1
9b83f934077b70c51d1e2e0e53060513aab7d595

SHA256
fdcb241f523c53bc1c79cd9989dc5301422008f7d7a183f3ef0a1dd2afbec605

SHA512
0b85f51bcb6330fbb3f224b784cc79044ccfc03efcb2de93faeecb8bc9a5ba538a043544b5bfdf8fbb79669bdd42c4b480359555748634395b8050e4581224c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e046cbb162dd02516ba78a35c578df7b

SHA1
15148a28ae7228987a88cb01911c357528893bf1

SHA256
a40f41d8075cc3a034def5a436cb5e0d749d47703c5ca2e4025f4b9b01d37ed4

SHA512
137fd17b9986667cd03c23e405a69c0813520bf1c73b96f4bfaae985e8de45091c56ff54968ce844f2c99a8dedd4d118259702382a33bd4e123bce9315fbe599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7585c72f1d8421e5e2e0d7f479a49876

SHA1
6298a275911f4fd19207a10b86677c5e17d98d06

SHA256
830134bffae300ee1e78c436c831b16389f3d27db09f7c10c77ab6c8c6e9b145

SHA512
a8ae8149a2529d7901f93dc1a9feeea4600729ceb8c045b5ec4ea9350813c628da9eebdf4e5f0a387d66d632ac5463a46091b8e4de19e0de80f42c995ab1f122

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat

Filesize
198B

MD5
7ef7359eeb101be31a0d527c917ece02

SHA1
edfc9cbff25090e099bd10dcd519fe4ddb81d93e

SHA256
e0aac14821e9bbdb14842b4119fdf651ba1dfe15783d559a772bd219f4eb7342

SHA512
79a6a9b5d8e91e795f1641d7d610a95db58cf34034125476c2dd4a3bf4a63ce921289282ff956bc7cabf6a09a69f73c9e0ab92d20a86a1840f1f400480bb9d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat

Filesize
198B

MD5
8558686b8076e756e517c1c220b6ec03

SHA1
35b12dd95070fa65b380f4f28da2d5e8852520c1

SHA256
74796b8b2e6c06f66da41453edc8530b81054f0da719044b05a2f211e38ec117

SHA512
d8ee83950ff03b8aa4e2892d2af9df9b7397376b04b3f37aea72908eb7a7ddf6d2428ea590c900899936f5beb543ba1f1d9ba78b625cf64b0edc956c4d78f299

Download Submit
C:\Users\Admin\AppData\Local\Temp\9iMPvVJ4No.bat

Filesize
198B

MD5
f82ae4e66918f2df33cf05e1fb0ea727

SHA1
f8631387a8f60f4369b844481783675def025371

SHA256
1df2090632d5c46039c93acf21679d7fe9406425b9ad0dbd7c5678f7de09cb7f

SHA512
28f7a2a096951b50f94fc782f9bff24abb006126e8ebeaef0e621765b842588559f0d5585577829074ca50d3438bafefdf2be2c0350ce8b5e90c83f54047b3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat

Filesize
198B

MD5
1d49a7bce293c18938f19e9271101125

SHA1
5bc2b8708002055d6e684ed13c0cbf6fdea7c58f

SHA256
987a5cd729f4a55076bd14b0d5a86e9743de46599f38978c5f66823db14bbd5f

SHA512
ef20aec287d7f8cfb4ca6c9de5335baae695aeec4791e37764b1365ba20c07d772ae7c95d027e5d6b443d47847fed18828d8e956f7e03f4f73fb52bc68c881be

Download Submit
C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat

Filesize
198B

MD5
8edd38e08a8c85cfa5481996158e27c2

SHA1
1fb82da8a21397a7cc7566bf13b71a797c91b6cd

SHA256
af99a5901b6fd9a258ee900eb115f77c118bf943e3111fa9c32b38de60ce3923

SHA512
745895cc7686254c2227a10cd3a5352ab643677e0ad119350c4e15a507cff57de99faf7bb6eb3546bb828d5e39290e2f37fc7d9cce8ce0de73a6e2464bfe1a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat

Filesize
198B

MD5
223ba879a25374b609b830599af1eb1b

SHA1
35ace942eb073e146d90815c113919285d7852f5

SHA256
0e620f0c8487a3dc84990585944054c96aeea7f89bb84839dbd8870ea93d16e9

SHA512
db1b71a12ca8b91d26a7b384f0e8ae62152eaa7e37d4a60bfe691585165c240efdae1eb447d89d05a3e0a8a0bb1613879a9e908190b6b587bc0db4ec704af590

Download Submit
C:\Users\Admin\AppData\Local\Temp\XErLL4imMU.bat

Filesize
198B

MD5
8054c2996de0d68fc12b58e422cb4285

SHA1
c7832265f90f1fe1dcf67a5ee1b163b29e4243ce

SHA256
c71d99646d4945ba1707bcc9612129353c59e2ca7644d30d2c000b4e6bc4e3be

SHA512
9d4975f632d86813126633388a95e0ffb21755538adbaf0fb07296ff00c78ad35fb1040d0a5b1eec0f1c5e96bd10ca580bbb26c77d18b998c97468b6999d18e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat

Filesize
198B

MD5
ca15e85b504fa5903d44479087da1139

SHA1
3ba035c77df266383b5d6461478a0958cc4267dc

SHA256
c7bbf40341dbba541067962c73eb91f04e9bbb385f43badc46e61c9307cdd563

SHA512
4d9d0e5deddf02110894ad800ac2d4813765f6dc31578a3837cbe6983126da93b2e9ee59c5343ea8f6a3c187d35400e6fe0db84ab527d7aac476bed8505607ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwOVarqRTQ.bat

Filesize
198B

MD5
0041afde47dcb7da871fab8233eec3b1

SHA1
ed576e1fff83f95ea1d65859c2d48d82b6a14916

SHA256
ebe68c915f49fd5f78c368339b16b81865502b8a7bb73f4ea6dd9e1e71b43436

SHA512
eca5601da368256416586ac3979f8a9e0fad4087d670279b65383854320f6053192aba94484b8f02dc7600f884d5c30547ee64c589e877cb225ea0664eec0e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat

Filesize
198B

MD5
c1070d5fab83971e872486196c9c80d7

SHA1
8bf5a33860ec197c5fc4fd6491c6baa82aa7aa97

SHA256
bb49de0d8f3963b1d145a30d05a00ca2a9da3bdb1cb0ed664f5d8fa8b9f2ed5c

SHA512
c8be92cca052b4c64ca9a2f55d9340bf1cc814d1c748090da3c3cb70c435a081b65a69e0ace6a97e39c960180232f8133c66faec2a4ced7876c9468c0d9b0afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdvgpfy6bM.bat

Filesize
198B

MD5
9eb567e196c3d03d66df6b5eebd89492

SHA1
9374d2c4f9d8f824e7522558b9b4afa4c5501aa2

SHA256
c5a7c511299bc888a167be6d00829d416e0a7235f1005f386d22549c858a06d4

SHA512
94c640ca86233e5a3689fb18dbee58ad3139504d3d904cfb5b2bc27b4a4ea0b400298682f01e8d859971adabd7231ddc5c6dcf081ab30036c9dbb7db8a7af384

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1872-185-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1872-186-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1888-1092-0x00000000015A0000-0x00000000015B2000-memory.dmp

Filesize
72KB

Download
memory/1896-167-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-173-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-182-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-181-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-121-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-122-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-180-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-179-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-123-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-125-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-126-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-128-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-129-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-147-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-178-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-130-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-148-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-177-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-131-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-132-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-133-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-135-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-134-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-136-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-137-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-145-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-138-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-139-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-176-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-140-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-183-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-175-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-174-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-146-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-141-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-170-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-142-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-143-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-144-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-172-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-171-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-169-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-168-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-120-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-166-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-165-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-164-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-163-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-162-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-161-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-160-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-159-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-158-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-157-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-156-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-155-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-154-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-153-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-152-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-151-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-150-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/1896-149-0x0000000077250000-0x00000000773DE000-memory.dmp

Filesize
1.6MB

Download
memory/2112-1120-0x0000000001750000-0x0000000001762000-memory.dmp

Filesize
72KB

Download
memory/3224-1131-0x00000000020D0000-0x00000000020E2000-memory.dmp

Filesize
72KB

Download
memory/3548-1109-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/4112-440-0x00000257B72F0000-0x00000257B7366000-memory.dmp

Filesize
472KB

Download
memory/4112-391-0x000002579EEA0000-0x000002579EEC2000-memory.dmp

Filesize
136KB

Download
memory/4760-288-0x000000001C010000-0x000000001C01C000-memory.dmp

Filesize
48KB

Download
memory/4760-286-0x0000000000D80000-0x0000000000E90000-memory.dmp

Filesize
1.1MB

Download
memory/4760-287-0x0000000002DF0000-0x0000000002E02000-memory.dmp

Filesize
72KB

Download
memory/4760-290-0x0000000002E20000-0x0000000002E2C000-memory.dmp

Filesize
48KB

Download
memory/4760-289-0x0000000002E00000-0x0000000002E0C000-memory.dmp

Filesize
48KB

Download
memory/4912-1086-0x00000000016F0000-0x0000000001702000-memory.dmp

Filesize
72KB

Download
memory/5272-1103-0x00000000006B0000-0x00000000006C2000-memory.dmp

Filesize
72KB

Download