dcrat | 605eff53b75ed979ee105a7c1392a22a9bf6fe91d2411207a2cc9f86b7388f09

Analysis

max time kernel
144s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

605eff53b75ed979ee105a7c1392a22a9bf6fe91d2411207a2cc9f86b7388f09.exe
Size

1.3MB
MD5

0ca2f7fe7e679374b5ad5446b087eb01
SHA1

13b706a4a6abe1c6efe31b9994722a9c7cef494c
SHA256

605eff53b75ed979ee105a7c1392a22a9bf6fe91d2411207a2cc9f86b7388f09
SHA512

9c1a9b47d8a1bc544196fb9fca7df05e8c527172160a84d7587b6426dac536a81015cf0ac5735f70228bf1cbb135a30b07765329e99d60347b6997e04fd56a1b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	160	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	200	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	188	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	4140	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001abf6-284.dat	dcrat
behavioral1/files/0x000800000001abf6-285.dat	dcrat
behavioral1/memory/4684-286-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac3c-383.dat	dcrat
behavioral1/files/0x000600000001ac3c-384.dat	dcrat
behavioral1/files/0x000600000001ac3c-875.dat	dcrat
behavioral1/files/0x000600000001ac3c-1003.dat	dcrat
behavioral1/files/0x000600000001ac3c-1009.dat	dcrat
behavioral1/files/0x000600000001ac3c-1014.dat	dcrat
behavioral1/files/0x000600000001ac3c-1019.dat	dcrat
behavioral1/files/0x000600000001ac3c-1024.dat	dcrat
behavioral1/files/0x000600000001ac3c-1030.dat	dcrat
behavioral1/files/0x000600000001ac3c-1035.dat	dcrat
behavioral1/files/0x000600000001ac3c-1040.dat	dcrat
behavioral1/files/0x000600000001ac3c-1046.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
4684	DllCommonsvc.exe
196	taskhostw.exe
2144	taskhostw.exe
5480	taskhostw.exe
5528	taskhostw.exe
5144	taskhostw.exe
6056	taskhostw.exe
3764	taskhostw.exe
4552	taskhostw.exe
3492	taskhostw.exe
5216	taskhostw.exe
5300	taskhostw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Common Files\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Common Files\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Common Files\DESIGNER\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\DESIGNER\a76d7bf15d8370	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\System.exe	DllCommonsvc.exe
File created	C:\Windows\twain_32\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1560	schtasks.exe
220	schtasks.exe
2288	schtasks.exe
496	schtasks.exe
1308	schtasks.exe
1040	schtasks.exe
4200	schtasks.exe
4552	schtasks.exe
3952	schtasks.exe
4864	schtasks.exe
188	schtasks.exe
200	schtasks.exe
4836	schtasks.exe
4192	schtasks.exe
3724	schtasks.exe
4772	schtasks.exe
1340	schtasks.exe
3280	schtasks.exe
2788	schtasks.exe
4788	schtasks.exe
832	schtasks.exe
2500	schtasks.exe
4740	schtasks.exe
4764	schtasks.exe
2172	schtasks.exe
4896	schtasks.exe
1296	schtasks.exe
2216	schtasks.exe
4780	schtasks.exe
1632	schtasks.exe
2960	schtasks.exe
4820	schtasks.exe
1740	schtasks.exe
1216	schtasks.exe
2680	schtasks.exe
520	schtasks.exe
884	schtasks.exe
3924	schtasks.exe
3808	schtasks.exe
600	schtasks.exe
656	schtasks.exe
2008	schtasks.exe
160	schtasks.exe
2732	schtasks.exe
2076	schtasks.exe
2456	schtasks.exe
3024	schtasks.exe
1664	schtasks.exe
1508	schtasks.exe
1584	schtasks.exe
4932	schtasks.exe
4796	schtasks.exe
4888	schtasks.exe
688	schtasks.exe
748	schtasks.exe
4492	schtasks.exe
4688	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	605eff53b75ed979ee105a7c1392a22a9bf6fe91d2411207a2cc9f86b7388f09.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	taskhostw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
4684	DllCommonsvc.exe
2688	powershell.exe
2688	powershell.exe
2664	powershell.exe
2664	powershell.exe
4728	powershell.exe
4728	powershell.exe
3772	powershell.exe
3772	powershell.exe
4956	powershell.exe
4956	powershell.exe
1744	powershell.exe
1744	powershell.exe
1424	powershell.exe
1424	powershell.exe
4448	powershell.exe
4448	powershell.exe
824	powershell.exe
824	powershell.exe
4364	powershell.exe
4364	powershell.exe
4556	powershell.exe
4556	powershell.exe
5024	powershell.exe
5024	powershell.exe
3144	powershell.exe
3144	powershell.exe
3520	powershell.exe
3520	powershell.exe
4328	powershell.exe
4328	powershell.exe
4300	powershell.exe
4300	powershell.exe
3508	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4684	DllCommonsvc.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	196	taskhostw.exe
Token: SeIncreaseQuotaPrivilege	4300	powershell.exe
Token: SeSecurityPrivilege	4300	powershell.exe
Token: SeTakeOwnershipPrivilege	4300	powershell.exe
Token: SeLoadDriverPrivilege	4300	powershell.exe
Token: SeSystemProfilePrivilege	4300	powershell.exe
Token: SeSystemtimePrivilege	4300	powershell.exe
Token: SeProfSingleProcessPrivilege	4300	powershell.exe
Token: SeIncBasePriorityPrivilege	4300	powershell.exe
Token: SeCreatePagefilePrivilege	4300	powershell.exe
Token: SeBackupPrivilege	4300	powershell.exe
Token: SeRestorePrivilege	4300	powershell.exe
Token: SeShutdownPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeSystemEnvironmentPrivilege	4300	powershell.exe
Token: SeRemoteShutdownPrivilege	4300	powershell.exe
Token: SeUndockPrivilege	4300	powershell.exe
Token: SeManageVolumePrivilege	4300	powershell.exe
Token: 33	4300	powershell.exe
Token: 34	4300	powershell.exe
Token: 35	4300	powershell.exe
Token: 36	4300	powershell.exe
Token: SeIncreaseQuotaPrivilege	2664	powershell.exe
Token: SeSecurityPrivilege	2664	powershell.exe
Token: SeTakeOwnershipPrivilege	2664	powershell.exe
Token: SeLoadDriverPrivilege	2664	powershell.exe
Token: SeSystemProfilePrivilege	2664	powershell.exe
Token: SeSystemtimePrivilege	2664	powershell.exe
Token: SeProfSingleProcessPrivilege	2664	powershell.exe
Token: SeIncBasePriorityPrivilege	2664	powershell.exe
Token: SeCreatePagefilePrivilege	2664	powershell.exe
Token: SeBackupPrivilege	2664	powershell.exe
Token: SeRestorePrivilege	2664	powershell.exe
Token: SeShutdownPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeSystemEnvironmentPrivilege	2664	powershell.exe
Token: SeRemoteShutdownPrivilege	2664	powershell.exe
Token: SeUndockPrivilege	2664	powershell.exe
Token: SeManageVolumePrivilege	2664	powershell.exe
Token: 33	2664	powershell.exe
Token: 34	2664	powershell.exe
Token: 35	2664	powershell.exe
Token: 36	2664	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 1940	3492	605eff53b75ed979ee105a7c1392a22a9bf6fe91d2411207a2cc9f86b7388f09.exe	66
PID 3492 wrote to memory of 1940	3492	605eff53b75ed979ee105a7c1392a22a9bf6fe91d2411207a2cc9f86b7388f09.exe	66
PID 3492 wrote to memory of 1940	3492	605eff53b75ed979ee105a7c1392a22a9bf6fe91d2411207a2cc9f86b7388f09.exe	66
PID 1940 wrote to memory of 4388	1940	WScript.exe	67
PID 1940 wrote to memory of 4388	1940	WScript.exe	67
PID 1940 wrote to memory of 4388	1940	WScript.exe	67
PID 4388 wrote to memory of 4684	4388	cmd.exe	69
PID 4388 wrote to memory of 4684	4388	cmd.exe	69
PID 4684 wrote to memory of 2664	4684	DllCommonsvc.exe	128
PID 4684 wrote to memory of 2664	4684	DllCommonsvc.exe	128
PID 4684 wrote to memory of 2688	4684	DllCommonsvc.exe	129
PID 4684 wrote to memory of 2688	4684	DllCommonsvc.exe	129
PID 4684 wrote to memory of 3772	4684	DllCommonsvc.exe	130
PID 4684 wrote to memory of 3772	4684	DllCommonsvc.exe	130
PID 4684 wrote to memory of 4956	4684	DllCommonsvc.exe	132
PID 4684 wrote to memory of 4956	4684	DllCommonsvc.exe	132
PID 4684 wrote to memory of 4728	4684	DllCommonsvc.exe	133
PID 4684 wrote to memory of 4728	4684	DllCommonsvc.exe	133
PID 4684 wrote to memory of 1424	4684	DllCommonsvc.exe	134
PID 4684 wrote to memory of 1424	4684	DllCommonsvc.exe	134
PID 4684 wrote to memory of 1744	4684	DllCommonsvc.exe	135
PID 4684 wrote to memory of 1744	4684	DllCommonsvc.exe	135
PID 4684 wrote to memory of 4328	4684	DllCommonsvc.exe	137
PID 4684 wrote to memory of 4328	4684	DllCommonsvc.exe	137
PID 4684 wrote to memory of 4448	4684	DllCommonsvc.exe	142
PID 4684 wrote to memory of 4448	4684	DllCommonsvc.exe	142
PID 4684 wrote to memory of 824	4684	DllCommonsvc.exe	143
PID 4684 wrote to memory of 824	4684	DllCommonsvc.exe	143
PID 4684 wrote to memory of 4556	4684	DllCommonsvc.exe	146
PID 4684 wrote to memory of 4556	4684	DllCommonsvc.exe	146
PID 4684 wrote to memory of 4364	4684	DllCommonsvc.exe	153
PID 4684 wrote to memory of 4364	4684	DllCommonsvc.exe	153
PID 4684 wrote to memory of 5024	4684	DllCommonsvc.exe	149
PID 4684 wrote to memory of 5024	4684	DllCommonsvc.exe	149
PID 4684 wrote to memory of 3144	4684	DllCommonsvc.exe	152
PID 4684 wrote to memory of 3144	4684	DllCommonsvc.exe	152
PID 4684 wrote to memory of 3520	4684	DllCommonsvc.exe	154
PID 4684 wrote to memory of 3520	4684	DllCommonsvc.exe	154
PID 4684 wrote to memory of 3508	4684	DllCommonsvc.exe	156
PID 4684 wrote to memory of 3508	4684	DllCommonsvc.exe	156
PID 4684 wrote to memory of 4300	4684	DllCommonsvc.exe	165
PID 4684 wrote to memory of 4300	4684	DllCommonsvc.exe	165
PID 4684 wrote to memory of 4192	4684	DllCommonsvc.exe	159
PID 4684 wrote to memory of 4192	4684	DllCommonsvc.exe	159
PID 4684 wrote to memory of 4812	4684	DllCommonsvc.exe	160
PID 4684 wrote to memory of 4812	4684	DllCommonsvc.exe	160
PID 4684 wrote to memory of 4760	4684	DllCommonsvc.exe	161
PID 4684 wrote to memory of 4760	4684	DllCommonsvc.exe	161
PID 4684 wrote to memory of 196	4684	DllCommonsvc.exe	168
PID 4684 wrote to memory of 196	4684	DllCommonsvc.exe	168
PID 196 wrote to memory of 3604	196	taskhostw.exe	170
PID 196 wrote to memory of 3604	196	taskhostw.exe	170
PID 3604 wrote to memory of 5644	3604	cmd.exe	172
PID 3604 wrote to memory of 5644	3604	cmd.exe	172
PID 3604 wrote to memory of 2144	3604	cmd.exe	173
PID 3604 wrote to memory of 2144	3604	cmd.exe	173
PID 2144 wrote to memory of 5040	2144	taskhostw.exe	174
PID 2144 wrote to memory of 5040	2144	taskhostw.exe	174
PID 5040 wrote to memory of 5460	5040	cmd.exe	176
PID 5040 wrote to memory of 5460	5040	cmd.exe	176
PID 5040 wrote to memory of 5480	5040	cmd.exe	177
PID 5040 wrote to memory of 5480	5040	cmd.exe	177
PID 5480 wrote to memory of 5960	5480	taskhostw.exe	178
PID 5480 wrote to memory of 5960	5480	taskhostw.exe	178

C:\Users\Admin\AppData\Local\Temp\605eff53b75ed979ee105a7c1392a22a9bf6fe91d2411207a2cc9f86b7388f09.exe
"C:\Users\Admin\AppData\Local\Temp\605eff53b75ed979ee105a7c1392a22a9bf6fe91d2411207a2cc9f86b7388f09.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\DllCommonsvc.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\DESIGNER\DllCommonsvc.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
    - - C:\Program Files\Windows Portable Devices\taskhostw.exe
        
        "C:\Program Files\Windows Portable Devices\taskhostw.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:196
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5644
        
        C:\Program Files\Windows Portable Devices\taskhostw.exe
        
        "C:\Program Files\Windows Portable Devices\taskhostw.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38GCmEMl12.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5460
        
        C:\Program Files\Windows Portable Devices\taskhostw.exe
        
        "C:\Program Files\Windows Portable Devices\taskhostw.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        10⤵
        
        PID:5960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:5732
        
        C:\Program Files\Windows Portable Devices\taskhostw.exe
        
        "C:\Program Files\Windows Portable Devices\taskhostw.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"
        12⤵
        
        PID:5748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5036
        
        C:\Program Files\Windows Portable Devices\taskhostw.exe
        
        "C:\Program Files\Windows Portable Devices\taskhostw.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
        14⤵
        
        PID:3996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:6040
        
        C:\Program Files\Windows Portable Devices\taskhostw.exe
        
        "C:\Program Files\Windows Portable Devices\taskhostw.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
        16⤵
        
        PID:1520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:5228
        
        C:\Program Files\Windows Portable Devices\taskhostw.exe
        
        "C:\Program Files\Windows Portable Devices\taskhostw.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat"
        18⤵
        
        PID:5784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3156
        
        C:\Program Files\Windows Portable Devices\taskhostw.exe
        
        "C:\Program Files\Windows Portable Devices\taskhostw.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"
        20⤵
        
        PID:4404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:688
        
        C:\Program Files\Windows Portable Devices\taskhostw.exe
        
        "C:\Program Files\Windows Portable Devices\taskhostw.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat"
        22⤵
        
        PID:2464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4988
        
        C:\Program Files\Windows Portable Devices\taskhostw.exe
        
        "C:\Program Files\Windows Portable Devices\taskhostw.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"
        24⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4484
        
        C:\Program Files\Windows Portable Devices\taskhostw.exe
        
        "C:\Program Files\Windows Portable Devices\taskhostw.exe"
        25⤵
        Executes dropped EXE
        
        PID:5300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\twain_32\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\twain_32\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\PrintHood\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\PrintHood\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\DESIGNER\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\DESIGNER\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Portable Devices\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Portable Devices\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Portable Devices\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Portable Devices\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Portable Devices\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Portable Devices\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Portable Devices\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Portable Devices\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Portable Devices\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Portable Devices\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Portable Devices\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Portable Devices\taskhostw.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
666645396c2ed47289bcde84115d9d2c

SHA1
1dacfec155d8a12dcc82fe379065a2e8c40f0f2c

SHA256
2913fcb0ba9c883a39984545cc43be1a35b2cc4675304f109aec03ce197be6c5

SHA512
01f79e028aa30418f6e37f420fb16ec7102c4a02a0051bec89528d42743ac1861e859125636024fe83de58a3dd97d31f468e5070a579706b42846f9499fd2efe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f25fb174c8262dace3c0a3a12fec84e5

SHA1
36665cffc83cd69c8e21f90dea572104e45b1fdf

SHA256
abd2104d11e573f416169c6b51e7533847b75c486a32363b3e5fcf69b08e3d48

SHA512
3ffbcd5d2b1c6fb44807befe5de08ba2b80681616e0c44e65f7a24e8f5077d9f6f75580f6d56b81779be290a76cdc13389e894fd927b983c9e94abdc105bde02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
607c8822d414a123ee3eb85a7b5d9feb

SHA1
c037599a3cbb79853ded7b6ee1b2a9546f7e315f

SHA256
d70834a3d9351882a7b209805be7fcaf0f7250ff42ce331171a1a62f5f68b74b

SHA512
52420736589935746ef139bc9d172b099fa1a78f3fd463e8e7de0ee2830abf42cba8420b8026d9f35c4e2ca2afab147f19cc8f12c6a8fd54e66932f30b3eab67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fb4dbae6ef1affb84a4c6d2c575d37ba

SHA1
732cf6df9b86e8986cf45d02ac382bee81d055c4

SHA256
a8f0b4e9625343d320200d676e6686c6ac841839086f7efb6490f874e6d98fd3

SHA512
2932990aae608671205bdb9fc047589149740d6c75a8d76364c7b29cf03d45f724f170f8f8807586bfbe70864e41cf5556b7b254f07054d56e4c2a79b2764cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7adbb0a3d6019bbd54be92fe923f5761

SHA1
7d17a43a7c24d45ff1d0d36ef8fb74aff9318447

SHA256
b9a779b1f5e5abea127510fd7db343cd007c1b8251ac9a46e13fb85d64741d78

SHA512
778d8801fea638225a6281d320c263ba3a7391df2d7a44c96bb1ed6557fc25f311defd0d1282b96174bb51718621559f85bc88b94816ea2904296fd9a5c73afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6e5347db0244b589061c4af98e9cc251

SHA1
b2a56ecd73d391b20de4bb55c6cf05cc50cc0030

SHA256
2b45c93bbde1886c02ffc1b09d92ab5dcb5a3b6d20783d47849549ffe5627a32

SHA512
3784d1b84cf613e03feb39e38231352e3f392e8573d4c5befbcdfe2d76bc82109b470a9d371d14a522d01b99e9b6018a73a488c7b1567f11c7098a74fc2ead7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f1f557fdbaebe9ec8edb4a1132e4eaef

SHA1
7606335de1dc4666db42fa84ac046b42c84befaf

SHA256
f926d2eaaa282764774a0b0c072d9c74fecfe4c6cfab6bbc8972bc36218004c9

SHA512
93fa9c168775fcdbc97e57aea43c1c4181981640e2135ce1063310ef9b1b1a605ee9def5ec75cb9490fb73690fdd733e75d8661033cdc0704b99acc096f027d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b725bfcb773e7c1f7e9c6ae9db2c9001

SHA1
62f0395613ca897e46fc7c77f024439173c88b8a

SHA256
8b024ef54698f097b768785eec95b59b704be137283c30a951556e023581dc82

SHA512
c313de245c315de773b20e6bc566db9b20b2023228b0a80b51db9c1188accc857563ebd65bb31b420a30a75129dcf2ea56dfb1c2a0dfccf7dd50ac4f4e04fa42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e520013ed917ee7225b1315f1727f8f0

SHA1
d840425a04e04f29e0f931b5eaaad048a3ffa478

SHA256
e7582b7fc76ba4d0d292791ff4dbe7e88096724948b050efd5fc7bfa1600e1a9

SHA512
dd0408367398ec98568ab3d8c7e502006ba6839f0f68e492bd9f70bdb3199a5bec1f56b7d0c37252604181d65f035912c7a7517131aee62a5fd0a706ce24986b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e520013ed917ee7225b1315f1727f8f0

SHA1
d840425a04e04f29e0f931b5eaaad048a3ffa478

SHA256
e7582b7fc76ba4d0d292791ff4dbe7e88096724948b050efd5fc7bfa1600e1a9

SHA512
dd0408367398ec98568ab3d8c7e502006ba6839f0f68e492bd9f70bdb3199a5bec1f56b7d0c37252604181d65f035912c7a7517131aee62a5fd0a706ce24986b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cb7bf818c4f2548d8cb860c2c220a228

SHA1
fbdcdd851a6e2a143175a7b6aa175a8fd34223a6

SHA256
a491f46f6cc81a18eef33c6f533e64a9437c64232bc9c83a52cf048ff0f1c3b4

SHA512
3af509b8eb73cb298f5f2aa1ff431072981da13d1d092c5e22799dedc95bb85b64697f665edc8a07438fc77198e758630efd5255bbe830583006b67cb31cfa9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
822b0b04c9a865bc594625418bb583c7

SHA1
e36e9f4aaec7b77306cb0e46beb3e2ce9153f00e

SHA256
c225f6ccd693600583c4c7c6b077e196815a22f24de8019b6333b0ddfcdb8b21

SHA512
fa29ec5bdd690e5540968ec1e6688a20f19dacd088462d79480f4a55deddc9c0b57ad2b43d214c21e7116d8b1c4c86cc10977c04fa8a7baa4420b4b3caedb908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
822b0b04c9a865bc594625418bb583c7

SHA1
e36e9f4aaec7b77306cb0e46beb3e2ce9153f00e

SHA256
c225f6ccd693600583c4c7c6b077e196815a22f24de8019b6333b0ddfcdb8b21

SHA512
fa29ec5bdd690e5540968ec1e6688a20f19dacd088462d79480f4a55deddc9c0b57ad2b43d214c21e7116d8b1c4c86cc10977c04fa8a7baa4420b4b3caedb908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aa855d678071cea9dd7d48ae350be815

SHA1
78eea994e8ec58daaf811fa721f5def67c6c02d0

SHA256
49f5273848222266d3916e7c10cfe6538d3b149b02784193d5d7f60327928a9b

SHA512
cead6719edf909ec95257429e31881124008c2ab585df80302b8d949dc283f2b746b66b48de4f2016fc6761d47c724157ace12a77934f0284d0a1c81d4575cee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aa855d678071cea9dd7d48ae350be815

SHA1
78eea994e8ec58daaf811fa721f5def67c6c02d0

SHA256
49f5273848222266d3916e7c10cfe6538d3b149b02784193d5d7f60327928a9b

SHA512
cead6719edf909ec95257429e31881124008c2ab585df80302b8d949dc283f2b746b66b48de4f2016fc6761d47c724157ace12a77934f0284d0a1c81d4575cee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ab4e6d2533b8b68c1830eccdbbfa27b7

SHA1
2a275de52fe8a86fc1485422576468b561ef3621

SHA256
c244c24b0ee1d81998081895765d2e5513f4623904e1a1e274489a128d87ae01

SHA512
b2de17b25c40ce405fe08e57caa8d45c46f707d240b98894274314ae43d5547c47c116d896feb4ff3e7141c8d603ff4e2e1c7ac68a93f25bf4ed17747150a227

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3f9816750801ff8a5a77ec2b7b327c99

SHA1
d780b5a9d230359f8b0f8a76666407d97bbff0e8

SHA256
0f718992aab16cfc76548bde6d00eb859b231e9f5ae3d1376f7e15a0847398a7

SHA512
ccddb65deccb992e1b6e4851eb81e233439b3f759c8a9052744e8041fbd03748e4e546c48c135454a5049df95163281873d0224547293655f61af1066a650118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ecbc83ad3c2b406be77c942f5c7900b

SHA1
701dbb789505238648786ed1ea0b2c70a05dc14e

SHA256
4e161cb49f868d8f8a27bbcaec9a99b6b8360bbe168883b13fe3dc2331b56248

SHA512
b5ae88865397b6bcf14ec7bc8ef30cd4e32640321180ad6d52cc2d192b6e22dd6c5df83e5694e67d94bf23c7ccab0c7e8b1d54ccd721623f6801c5bee2962521

Download Submit
C:\Users\Admin\AppData\Local\Temp\38GCmEMl12.bat

Filesize
220B

MD5
874457d587dca7ec7f657e0424ffc081

SHA1
dca1c4e06124e37e459f5d8f189b42ad7c31fc28

SHA256
49e66b3bca3261c262c495307df9be019a024efdc1356149440201e5ecc18445

SHA512
6f82664f856e8b3141d1b5442bee9747385674f7be2554f5a5351b2c25d58441866159c3ea2dd848258e4d0ddaa2f725db50027e50c173108ffab96d4bd61c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat

Filesize
220B

MD5
3ff9d4b29f80a5005e567d36d5db1e12

SHA1
602b6553ed9e72bea6fdc8724cbab411112e26d3

SHA256
9529e2e8e93beaa6efa38df09dc722e02b3e89fd53778efc8c612653a573ed34

SHA512
5b73af9396ce979424e95b4b0abcf8a61ccb00b21da1c4c87989a4cf0141048591b5e0e18736c7007066846ca7d8e8718f43ed3ed11ef5e06e5c7f1fcbfbf57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
220B

MD5
1680fff814d7ee3c6fc2c97c691a531c

SHA1
23c9d290afff3d6852b9e1b25f1f3424ac756627

SHA256
87bd2981ab964536ea6367422e52b27b9b34b9d03892d48f609c36616644bd36

SHA512
ea45ccd52fcf4cbd9bea13f341c2a626acebc5073fc148cc9b4a3305faefaf26e7d8f97de16eedccf229c31704221b569bb7e2ba86a2b08bcad58868bb13ad31

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat

Filesize
220B

MD5
96573ae33bcec1fa9dca3e2fe1697018

SHA1
2f66661f5545de87b0a31d0de78c58be5ddca9cd

SHA256
da9a904672e38cacea308139827d20b6acca2a27f33b1061d941d4f842997624

SHA512
2922ff5424be3873364f5f6b2c3549b5427dcd519ff890b9d777d8e354da595cc77c86994fc388f0b4f06dc318adfca2d7874e6faeaea847317ec34ada07ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat

Filesize
220B

MD5
bffa1970817b8bfcc64128da99d5322b

SHA1
92fab434a8181bc28c409d5bc347b7f91701cfaa

SHA256
66716fe2ff168f723ef34db81b799068e2cdb2df4ec86eae2e01a4dc7d47ec93

SHA512
a67c845007ec2c9010192e9649bf1876017c6f875e3c5fa53afd114b4cdb9cf499be69f5da760ec28ebcc1e1ffc93cd02f896fff3d0670f89bf1da1542bac47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat

Filesize
220B

MD5
5445f10a41c7a129df6080dd8d406891

SHA1
fca3f202fce3662c8a5af7b7324c4f8e048905a6

SHA256
c80a77c9ecba7f143073fc5cac0b86ec2c5610c71ab7396bb37c85249b2352e2

SHA512
1c517a42f1c2fc8fa9df7007f8d120c6441cc287ae7245e34afd44a207c9698b9f629c4f683b73a1c50453f24b82c0bca38f56cde21faf77b9fd310c6773d361

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat

Filesize
220B

MD5
7222742916f90c0e73d9eca4298fdd1d

SHA1
9a73a0a76d38ee04676063c849a9b67b666b8677

SHA256
5f966b99935a8672970f4328edc984e9e24a6432820f76e3c4c669141e9f32c8

SHA512
dbade4593c1792d400386ade366ccefe4b5ffd1d3adc0d740b95342fba312a5c4b25b21edddff5498b17893a4d2878c397883c78f008fdf933dbc13a1f09715d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

Filesize
220B

MD5
383d9120196ee792a98b77e4bc373cd0

SHA1
682356a6f4b2a4fa020a69fd0168a9ef5da5ccbc

SHA256
7f724f6aa029ce78355705114e87fe2dabb55fe65d688724951da1fe88a4326a

SHA512
63c5fd35a672209b99c443427d3883bbeb4ea417f64cdf00bf2eadad9439f0bb09ac4db245489c9840b1099dd56f4546c7120b9c68d99b883cf895e2a27641fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat

Filesize
220B

MD5
307ff8d91da35a83363eb69c05ba592c

SHA1
a65bba90c20cd1ce2b650739ab27062914888bac

SHA256
4dd4717d7277167a5ac8a109e591cdb4864be65146328ff41bd4aa9d11bfd48a

SHA512
09357f56f487f5329f5f949c83ae3908544457b6484fbd8bdea9a2e4a5c85d6774481ae0d6c1ed66578d95677167f13882302ed1842a155f616f597d22c36567

Download Submit
C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat

Filesize
220B

MD5
669085c785fcc755d30baf741235731b

SHA1
19e3fce7941a62a5ca083ef2c59dcee3fe71e273

SHA256
d0d853516e7f3094722896c3582328d146293749a81dca6043b61e79cc1489fe

SHA512
dc56f176c0c4092fb7afe900ceda77986a4c4ef7cd7eb8a94380647a20f2b60abcf14ecdbd68e1739fd157d4f79d4ceda47f5664eff9c2309cba480707ba7925

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1940-186-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/1940-185-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/2144-897-0x0000000001510000-0x0000000001522000-memory.dmp

Filesize
72KB

Download
memory/2688-379-0x000001CB7BBD0000-0x000001CB7BBF2000-memory.dmp

Filesize
136KB

Download
memory/3492-120-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-139-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-182-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-162-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-181-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-180-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-179-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-178-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-161-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-160-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-177-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-159-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-176-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-175-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-121-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-174-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-173-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-172-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-122-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-170-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-158-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-157-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-171-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-163-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-169-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-123-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-156-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-125-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-126-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-128-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-164-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-168-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-167-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-155-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-154-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-129-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-130-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-153-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-152-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-166-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-151-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-150-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-165-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-149-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-148-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-147-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-146-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-145-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-144-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-142-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-143-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-136-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-141-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-140-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-183-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-138-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-137-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-135-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-134-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-133-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-132-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-131-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3764-1025-0x0000000002A00000-0x0000000002A12000-memory.dmp

Filesize
72KB

Download
memory/4300-397-0x00000218BE3D0000-0x00000218BE446000-memory.dmp

Filesize
472KB

Download
memory/4684-286-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/4684-289-0x000000001AC70000-0x000000001AC7C000-memory.dmp

Filesize
48KB

Download
memory/4684-290-0x000000001AC80000-0x000000001AC8C000-memory.dmp

Filesize
48KB

Download
memory/4684-288-0x000000001AC60000-0x000000001AC6C000-memory.dmp

Filesize
48KB

Download
memory/4684-287-0x000000001AC50000-0x000000001AC62000-memory.dmp

Filesize
72KB

Download
memory/5216-1041-0x0000000001080000-0x0000000001092000-memory.dmp

Filesize
72KB

Download
memory/5300-1047-0x0000000001050000-0x0000000001062000-memory.dmp

Filesize
72KB

Download
memory/5480-1004-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download