dcrat | 8b464085acc812415dd79aeca9f7ad921febb88fb162ccaa152f2dc78c8a6cf9

Analysis

max time kernel
145s
max time network
142s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b464085acc812415dd79aeca9f7ad921febb88fb162ccaa152f2dc78c8a6cf9.exe
Size

1.3MB
MD5

7f2cb0cb3c990e0d5ce817d64f52770e
SHA1

63527d784fa3a8ab5e484e70b6a11b84c95b4004
SHA256

8b464085acc812415dd79aeca9f7ad921febb88fb162ccaa152f2dc78c8a6cf9
SHA512

8f190f1306acda26b10b10e0b4c99f740027b19722247b527548e7d8a2ea31b03dd6efb1da1cf621f61d55f489054807c0582f1dcf6d30461e271fcf5d73a1da
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	3056	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	3056	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac31-280.dat	dcrat
behavioral1/files/0x000800000001ac31-281.dat	dcrat
behavioral1/memory/1724-282-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/files/0x000900000001ac3a-683.dat	dcrat
behavioral1/files/0x000900000001ac3a-682.dat	dcrat
behavioral1/files/0x000900000001ac3a-1053.dat	dcrat
behavioral1/files/0x000900000001ac3a-1060.dat	dcrat
behavioral1/files/0x000900000001ac3a-1065.dat	dcrat
behavioral1/files/0x000900000001ac3a-1070.dat	dcrat
behavioral1/files/0x000900000001ac3a-1076.dat	dcrat
behavioral1/files/0x000900000001ac3a-1082.dat	dcrat
behavioral1/files/0x000900000001ac3a-1088.dat	dcrat
behavioral1/files/0x000900000001ac3a-1094.dat	dcrat
behavioral1/files/0x000900000001ac3a-1099.dat	dcrat
behavioral1/files/0x000900000001ac3a-1104.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
1724	DllCommonsvc.exe
5332	ShellExperienceHost.exe
5560	ShellExperienceHost.exe
5764	ShellExperienceHost.exe
6004	ShellExperienceHost.exe
1856	ShellExperienceHost.exe
4776	ShellExperienceHost.exe
5072	ShellExperienceHost.exe
364	ShellExperienceHost.exe
2616	ShellExperienceHost.exe
4640	ShellExperienceHost.exe
4484	ShellExperienceHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Multimedia Platform\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\7a0fd90576e088	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\ImmersiveControlPanel\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\AppPatch\en-US\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\AppPatch\en-US\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\ELAMBKUP\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\ELAMBKUP\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\ImmersiveControlPanel\Idle.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1644	schtasks.exe
3680	schtasks.exe
4308	schtasks.exe
4492	schtasks.exe
1412	schtasks.exe
2040	schtasks.exe
4844	schtasks.exe
1816	schtasks.exe
648	schtasks.exe
2208	schtasks.exe
2276	schtasks.exe
4048	schtasks.exe
4988	schtasks.exe
4860	schtasks.exe
1160	schtasks.exe
1180	schtasks.exe
428	schtasks.exe
588	schtasks.exe
2532	schtasks.exe
3584	schtasks.exe
4576	schtasks.exe
4796	schtasks.exe
4832	schtasks.exe
1476	schtasks.exe
1072	schtasks.exe
2464	schtasks.exe
1796	schtasks.exe
1256	schtasks.exe
1664	schtasks.exe
692	schtasks.exe
3192	schtasks.exe
4676	schtasks.exe
4568	schtasks.exe
4972	schtasks.exe
1768	schtasks.exe
3676	schtasks.exe
1856	schtasks.exe
868	schtasks.exe
3904	schtasks.exe
3852	schtasks.exe
4996	schtasks.exe
4732	schtasks.exe
4724	schtasks.exe
220	schtasks.exe
2568	schtasks.exe
3536	schtasks.exe
4944	schtasks.exe
816	schtasks.exe
3296	schtasks.exe
3300	schtasks.exe
224	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	8b464085acc812415dd79aeca9f7ad921febb88fb162ccaa152f2dc78c8a6cf9.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1724	DllCommonsvc.exe
1724	DllCommonsvc.exe
1724	DllCommonsvc.exe
1724	DllCommonsvc.exe
1724	DllCommonsvc.exe
1724	DllCommonsvc.exe
1724	DllCommonsvc.exe
1724	DllCommonsvc.exe
1724	DllCommonsvc.exe
1724	DllCommonsvc.exe
2816	powershell.exe
2816	powershell.exe
2816	powershell.exe
2816	powershell.exe
2632	powershell.exe
2632	powershell.exe
3808	powershell.exe
3808	powershell.exe
64	powershell.exe
64	powershell.exe
5060	powershell.exe
5060	powershell.exe
2080	powershell.exe
2080	powershell.exe
3876	powershell.exe
3876	powershell.exe
4632	powershell.exe
4632	powershell.exe
5076	powershell.exe
5076	powershell.exe
3336	powershell.exe
3336	powershell.exe
3372	powershell.exe
3372	powershell.exe
8	powershell.exe
8	powershell.exe
4648	powershell.exe
4648	powershell.exe
2796	powershell.exe
2796	powershell.exe
3828	powershell.exe
3828	powershell.exe
4156	powershell.exe
4156	powershell.exe
4008	powershell.exe
4008	powershell.exe
3424	powershell.exe
3424	powershell.exe
4008	powershell.exe
2632	powershell.exe
3876	powershell.exe
2080	powershell.exe
5060	powershell.exe
5076	powershell.exe
3808	powershell.exe
4632	powershell.exe
64	powershell.exe
4008	powershell.exe
4648	powershell.exe
3828	powershell.exe
3336	powershell.exe
3372	powershell.exe
8	powershell.exe
2796	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	DllCommonsvc.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeIncreaseQuotaPrivilege	2816	powershell.exe
Token: SeSecurityPrivilege	2816	powershell.exe
Token: SeTakeOwnershipPrivilege	2816	powershell.exe
Token: SeLoadDriverPrivilege	2816	powershell.exe
Token: SeSystemProfilePrivilege	2816	powershell.exe
Token: SeSystemtimePrivilege	2816	powershell.exe
Token: SeProfSingleProcessPrivilege	2816	powershell.exe
Token: SeIncBasePriorityPrivilege	2816	powershell.exe
Token: SeCreatePagefilePrivilege	2816	powershell.exe
Token: SeBackupPrivilege	2816	powershell.exe
Token: SeRestorePrivilege	2816	powershell.exe
Token: SeShutdownPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeSystemEnvironmentPrivilege	2816	powershell.exe
Token: SeRemoteShutdownPrivilege	2816	powershell.exe
Token: SeUndockPrivilege	2816	powershell.exe
Token: SeManageVolumePrivilege	2816	powershell.exe
Token: 33	2816	powershell.exe
Token: 34	2816	powershell.exe
Token: 35	2816	powershell.exe
Token: 36	2816	powershell.exe
Token: SeIncreaseQuotaPrivilege	4008	powershell.exe
Token: SeSecurityPrivilege	4008	powershell.exe
Token: SeTakeOwnershipPrivilege	4008	powershell.exe
Token: SeLoadDriverPrivilege	4008	powershell.exe
Token: SeSystemProfilePrivilege	4008	powershell.exe
Token: SeSystemtimePrivilege	4008	powershell.exe
Token: SeProfSingleProcessPrivilege	4008	powershell.exe
Token: SeIncBasePriorityPrivilege	4008	powershell.exe
Token: SeCreatePagefilePrivilege	4008	powershell.exe
Token: SeBackupPrivilege	4008	powershell.exe
Token: SeRestorePrivilege	4008	powershell.exe
Token: SeShutdownPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeSystemEnvironmentPrivilege	4008	powershell.exe
Token: SeRemoteShutdownPrivilege	4008	powershell.exe
Token: SeUndockPrivilege	4008	powershell.exe
Token: SeManageVolumePrivilege	4008	powershell.exe
Token: 33	4008	powershell.exe
Token: 34	4008	powershell.exe
Token: 35	4008	powershell.exe
Token: 36	4008	powershell.exe
Token: SeIncreaseQuotaPrivilege	2632	powershell.exe
Token: SeSecurityPrivilege	2632	powershell.exe
Token: SeTakeOwnershipPrivilege	2632	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 400	1968	8b464085acc812415dd79aeca9f7ad921febb88fb162ccaa152f2dc78c8a6cf9.exe	66
PID 1968 wrote to memory of 400	1968	8b464085acc812415dd79aeca9f7ad921febb88fb162ccaa152f2dc78c8a6cf9.exe	66
PID 1968 wrote to memory of 400	1968	8b464085acc812415dd79aeca9f7ad921febb88fb162ccaa152f2dc78c8a6cf9.exe	66
PID 400 wrote to memory of 4256	400	WScript.exe	67
PID 400 wrote to memory of 4256	400	WScript.exe	67
PID 400 wrote to memory of 4256	400	WScript.exe	67
PID 4256 wrote to memory of 1724	4256	cmd.exe	69
PID 4256 wrote to memory of 1724	4256	cmd.exe	69
PID 1724 wrote to memory of 2632	1724	DllCommonsvc.exe	122
PID 1724 wrote to memory of 2632	1724	DllCommonsvc.exe	122
PID 1724 wrote to memory of 2816	1724	DllCommonsvc.exe	126
PID 1724 wrote to memory of 2816	1724	DllCommonsvc.exe	126
PID 1724 wrote to memory of 3876	1724	DllCommonsvc.exe	124
PID 1724 wrote to memory of 3876	1724	DllCommonsvc.exe	124
PID 1724 wrote to memory of 3808	1724	DllCommonsvc.exe	138
PID 1724 wrote to memory of 3808	1724	DllCommonsvc.exe	138
PID 1724 wrote to memory of 5060	1724	DllCommonsvc.exe	137
PID 1724 wrote to memory of 5060	1724	DllCommonsvc.exe	137
PID 1724 wrote to memory of 64	1724	DllCommonsvc.exe	136
PID 1724 wrote to memory of 64	1724	DllCommonsvc.exe	136
PID 1724 wrote to memory of 5076	1724	DllCommonsvc.exe	135
PID 1724 wrote to memory of 5076	1724	DllCommonsvc.exe	135
PID 1724 wrote to memory of 2080	1724	DllCommonsvc.exe	134
PID 1724 wrote to memory of 2080	1724	DllCommonsvc.exe	134
PID 1724 wrote to memory of 8	1724	DllCommonsvc.exe	133
PID 1724 wrote to memory of 8	1724	DllCommonsvc.exe	133
PID 1724 wrote to memory of 4632	1724	DllCommonsvc.exe	139
PID 1724 wrote to memory of 4632	1724	DllCommonsvc.exe	139
PID 1724 wrote to memory of 3336	1724	DllCommonsvc.exe	140
PID 1724 wrote to memory of 3336	1724	DllCommonsvc.exe	140
PID 1724 wrote to memory of 3372	1724	DllCommonsvc.exe	141
PID 1724 wrote to memory of 3372	1724	DllCommonsvc.exe	141
PID 1724 wrote to memory of 2796	1724	DllCommonsvc.exe	142
PID 1724 wrote to memory of 2796	1724	DllCommonsvc.exe	142
PID 1724 wrote to memory of 4648	1724	DllCommonsvc.exe	144
PID 1724 wrote to memory of 4648	1724	DllCommonsvc.exe	144
PID 1724 wrote to memory of 4008	1724	DllCommonsvc.exe	145
PID 1724 wrote to memory of 4008	1724	DllCommonsvc.exe	145
PID 1724 wrote to memory of 3828	1724	DllCommonsvc.exe	151
PID 1724 wrote to memory of 3828	1724	DllCommonsvc.exe	151
PID 1724 wrote to memory of 4156	1724	DllCommonsvc.exe	152
PID 1724 wrote to memory of 4156	1724	DllCommonsvc.exe	152
PID 1724 wrote to memory of 3424	1724	DllCommonsvc.exe	153
PID 1724 wrote to memory of 3424	1724	DllCommonsvc.exe	153
PID 1724 wrote to memory of 1644	1724	DllCommonsvc.exe	158
PID 1724 wrote to memory of 1644	1724	DllCommonsvc.exe	158
PID 1644 wrote to memory of 3868	1644	cmd.exe	160
PID 1644 wrote to memory of 3868	1644	cmd.exe	160
PID 1644 wrote to memory of 5332	1644	cmd.exe	162
PID 1644 wrote to memory of 5332	1644	cmd.exe	162
PID 5332 wrote to memory of 5680	5332	ShellExperienceHost.exe	163
PID 5332 wrote to memory of 5680	5332	ShellExperienceHost.exe	163
PID 5680 wrote to memory of 5592	5680	cmd.exe	165
PID 5680 wrote to memory of 5592	5680	cmd.exe	165
PID 5680 wrote to memory of 5560	5680	cmd.exe	166
PID 5680 wrote to memory of 5560	5680	cmd.exe	166
PID 5560 wrote to memory of 5760	5560	ShellExperienceHost.exe	167
PID 5560 wrote to memory of 5760	5560	ShellExperienceHost.exe	167
PID 5760 wrote to memory of 5696	5760	cmd.exe	169
PID 5760 wrote to memory of 5696	5760	cmd.exe	169
PID 5760 wrote to memory of 5764	5760	cmd.exe	170
PID 5760 wrote to memory of 5764	5760	cmd.exe	170
PID 5764 wrote to memory of 5912	5764	ShellExperienceHost.exe	171
PID 5764 wrote to memory of 5912	5764	ShellExperienceHost.exe	171

C:\Users\Admin\AppData\Local\Temp\8b464085acc812415dd79aeca9f7ad921febb88fb162ccaa152f2dc78c8a6cf9.exe
"C:\Users\Admin\AppData\Local\Temp\8b464085acc812415dd79aeca9f7ad921febb88fb162ccaa152f2dc78c8a6cf9.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:8
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ELAMBKUP\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:64
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\en-US\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ImmersiveControlPanel\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3424
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\14ObxsbNTK.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3868
      - C:\Recovery\WindowsRE\ShellExperienceHost.exe
        
        "C:\Recovery\WindowsRE\ShellExperienceHost.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5592
        
        C:\Recovery\WindowsRE\ShellExperienceHost.exe
        
        "C:\Recovery\WindowsRE\ShellExperienceHost.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:5696
        
        C:\Recovery\WindowsRE\ShellExperienceHost.exe
        
        "C:\Recovery\WindowsRE\ShellExperienceHost.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
        11⤵
        
        PID:5912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:5936
        
        C:\Recovery\WindowsRE\ShellExperienceHost.exe
        
        "C:\Recovery\WindowsRE\ShellExperienceHost.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat"
        13⤵
        
        PID:5232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1772
        
        C:\Recovery\WindowsRE\ShellExperienceHost.exe
        
        "C:\Recovery\WindowsRE\ShellExperienceHost.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
        15⤵
        
        PID:3528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:5100
        
        C:\Recovery\WindowsRE\ShellExperienceHost.exe
        
        "C:\Recovery\WindowsRE\ShellExperienceHost.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat"
        17⤵
        
        PID:5272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1412
        
        C:\Recovery\WindowsRE\ShellExperienceHost.exe
        
        "C:\Recovery\WindowsRE\ShellExperienceHost.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rhkc0SdEF2.bat"
        19⤵
        
        PID:3700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4300
        
        C:\Recovery\WindowsRE\ShellExperienceHost.exe
        
        "C:\Recovery\WindowsRE\ShellExperienceHost.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"
        21⤵
        
        PID:3332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3300
        
        C:\Recovery\WindowsRE\ShellExperienceHost.exe
        
        "C:\Recovery\WindowsRE\ShellExperienceHost.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat"
        23⤵
        
        PID:1896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1880
        
        C:\Recovery\WindowsRE\ShellExperienceHost.exe
        
        "C:\Recovery\WindowsRE\ShellExperienceHost.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"
        25⤵
        
        PID:5392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2280
        
        C:\Recovery\WindowsRE\ShellExperienceHost.exe
        
        "C:\Recovery\WindowsRE\ShellExperienceHost.exe"
        26⤵
        Executes dropped EXE
        
        PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\AppPatch\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\ELAMBKUP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ELAMBKUP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\ELAMBKUP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Searches\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\Searches\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Searches\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\ImmersiveControlPanel\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\ImmersiveControlPanel\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ShellExperienceHost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
02b6c68dead38613d1a8ea25fc80efc8

SHA1
3ebea48bb5ebe6cbf73f4ecbee0b67fd253b02e9

SHA256
e5d94cb19f98851096d1c2114e3d18543082cbfe1d91c42f927fcde3b7be75a7

SHA512
baef4ccff193426df30097f39126e271311ea0614ec24356069e15672fbf877248993c58a8816427bf93c5ff96e57357168449b3a2581e464b73e9b83286b492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
14a39430656fc7937233d892c4114b63

SHA1
ceeec15af07f46ced4a28ba5096f0af09c92a5bc

SHA256
da0c9ff195b9eddd85be6bb1012070333872a92d74ecdd3fb70e7593049ebdca

SHA512
05164ca8f05c3a1d43a55437eeab16d483b338abe69c7c711240cf48dbc3b19e3b9ece5c9d8844c7adbe72cb69e7d4dcf6ed19eb5f58dae339efe52152f80b94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6ff1b6a323df0ac98cea153daf4f4db2

SHA1
cdfe11ea6021c001d67ce244619f97e725540743

SHA256
dbca90e93c7353e3cb5741a66ecb9f20e00f6f222461d90dba69f439a4c68b54

SHA512
863850467f413491e346e3d07f791c79f4101d12d046e245ccf182d56d2f225da4205955b63a0f79485c12cb497e070dc0fab0fe8a70af23ac38d00e9f985475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d2895e01f708d405d91e9572ba62c2bd

SHA1
8f257668a2c28d19eec49b5e01fcc71be8618a70

SHA256
245eab0496732f29726f4279af605cc0a7afbc55eba1999b2097a36685dbae54

SHA512
b32d7066bd18b98533476761de3b4c8fc0bc185ad69edeb0244e1651c789933bab7dede8e058b0bcd9437e77c57d8489bd8693643f6e8656b7e42cfb1203c214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2de6abe52367ebbeb7c724cf66b3c03

SHA1
3f601834b1a390fca700ad9efafa7d0d433b5f50

SHA256
f5b83d21a7cdbf31eee19a0b6cf5031587a1ca0b35f9ff95d4a5de5a9132df17

SHA512
d26f9ea8686b5fc0ffef509d0b61c7bc93d5369972723061c889edfc6c18fd04e17cb43113238b23cbbb69576964262fb0b1e2b3c527d5833da4c1edd1d24ec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb85834f18ea6ca16fae6bbae92f8436

SHA1
f93c19a46ce410e3bb9ff2e75cdacd27568b61ee

SHA256
7992f8c51d979142ab81f8197309f5aff399784f2d9f23c37559161d7d2af819

SHA512
09bf74bee4ca206058a024ca975dcb1d95dc6eae31e36f530cc898806f034a69590c3da2abc234eda8c5d7a67659a07bf03355245d675c0bf8ed584c97f08110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
123fe9487c5aae4e426071d247a4bbcb

SHA1
07c610d173c09cd899e034c31298b5b63b125f81

SHA256
cfae7d81044625dff50bc5b74c8dbc38bbfdba889c8b020a34b64ab80fcaf673

SHA512
030ecb2f68164c8a63c33454f6a9faa0e96931b1a4208f7582cca0ad5952afd83e5ff1f03ca5ee29296dca0b1ec912dca034533d4c0771f736517040f1881253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3acd21f73a93595748ffa10e24c4f45

SHA1
264b625c88ec2eaccf70417f191776d68e0b3634

SHA256
90183b74906e90c7befb6ec778c182bc103b56bb78e9cb089603d33cd19df52c

SHA512
3a33fe469f5ac5c2e5b3e869ce3ac50bfc58beb3de3552a6185430e36ad919ef2b09580eecaa9e22c7207d71e2e7a72ffd74783f93f58bec49319e09cd915543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5d56c6c94a10066f90b648e3f1b34793

SHA1
6d6ae65ddb9a7ffe863c8cbd30a2a6a9852502d3

SHA256
dabd801ed85a978aeae74c8771868672862ad7791271bacd57daf2ebcdb11412

SHA512
a5988cf2cb1f1e170867c3223f464f8c449c0eaa2103ba483ff0998875e2bbe349351d4a263b35b50bca749327caa53c60110e2bc63467b1ec1f63e507510a40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5d56c6c94a10066f90b648e3f1b34793

SHA1
6d6ae65ddb9a7ffe863c8cbd30a2a6a9852502d3

SHA256
dabd801ed85a978aeae74c8771868672862ad7791271bacd57daf2ebcdb11412

SHA512
a5988cf2cb1f1e170867c3223f464f8c449c0eaa2103ba483ff0998875e2bbe349351d4a263b35b50bca749327caa53c60110e2bc63467b1ec1f63e507510a40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8b688d8bce85276ce580efb887ed54a5

SHA1
53fb2b98ca6112cb318a7fd048ab2ad5452e135b

SHA256
01e355850b74bfff7a37db78ba6764315c93490181db77fd409d1c09926ff989

SHA512
289fdba785dbb5a404b21a340c1a5a23e1a2493da7a1eb6c7567ddde8b6e78645f5b21de164cb376c6ffb6523e5621e804b299e36106f4b63dfa86b992e2d212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bfa5f13b701fff84ccd4a6452eb14700

SHA1
22c3d261414ad27896ab9caf1880f61e224aef6e

SHA256
edee4125badc99c23d942ada03c1bc87c75cc092edaadbbdc6f10e27f3bb700f

SHA512
57549c4c76d449734247c8c613a9b9728082e9c3f399c50619df7d115f723a8ec8e0ca69bd5fc61a26abe91344ca45420b66293c1c012f6e7b615885194c4454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e9d66df540716e27ea11a1e9f693266a

SHA1
c14137c1262e29f2c29b06fc7868797b67db6b57

SHA256
6bd14ce1068eecf93410c0ec80cfc18e12f7eee2092f3632654fa326ada403db

SHA512
779faf7e63637c315ce1f3b91d12b0ae613548741462fe06dc738db4bd8569eb69e74d19c48d5be92d3affc74d50ab4d4313f716a7d3fe3166f39926a063356e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e9d66df540716e27ea11a1e9f693266a

SHA1
c14137c1262e29f2c29b06fc7868797b67db6b57

SHA256
6bd14ce1068eecf93410c0ec80cfc18e12f7eee2092f3632654fa326ada403db

SHA512
779faf7e63637c315ce1f3b91d12b0ae613548741462fe06dc738db4bd8569eb69e74d19c48d5be92d3affc74d50ab4d4313f716a7d3fe3166f39926a063356e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e23f258083de30ed1e2e3f90c779ca9

SHA1
bbb70a8e25d58335f850e35db752e5355e95e907

SHA256
72ff351088996f6efd7d658e0e3dabff845585280d3c9c343511fa3863a596e5

SHA512
db954df1c94a0600aaa4bc616fdb7158b8a56030fe14db7a61f40be5a0a1f40fbcf3f698041f6a7ba707bdd032c1161465388cc0e9a049c7dafdab1938fa81f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e23f258083de30ed1e2e3f90c779ca9

SHA1
bbb70a8e25d58335f850e35db752e5355e95e907

SHA256
72ff351088996f6efd7d658e0e3dabff845585280d3c9c343511fa3863a596e5

SHA512
db954df1c94a0600aaa4bc616fdb7158b8a56030fe14db7a61f40be5a0a1f40fbcf3f698041f6a7ba707bdd032c1161465388cc0e9a049c7dafdab1938fa81f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e23f258083de30ed1e2e3f90c779ca9

SHA1
bbb70a8e25d58335f850e35db752e5355e95e907

SHA256
72ff351088996f6efd7d658e0e3dabff845585280d3c9c343511fa3863a596e5

SHA512
db954df1c94a0600aaa4bc616fdb7158b8a56030fe14db7a61f40be5a0a1f40fbcf3f698041f6a7ba707bdd032c1161465388cc0e9a049c7dafdab1938fa81f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\14ObxsbNTK.bat

Filesize
210B

MD5
51560de8b793ab8d6ac2c610ac022ffc

SHA1
c43e83334d2b6d04913eccf966eb2cb9d34b8d50

SHA256
b8dc975e1ef013240454d7440595ae7ca30c4c7a6f68d0525519a5e697661376

SHA512
ac09461383bd94ddf5b7ca0fd78363f9f16d73cf0e0ed9f5d0d65869f3058a260cb29337f472d9dc45bb47c2d2edb9312c0ee7261651b792f517a639e9898721

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat

Filesize
210B

MD5
2591f01b49071852253eb1288feea2fb

SHA1
cabc92316b9b5864ed659e9487461f250014a19a

SHA256
6cc555769c085e25fbb2f93410900e4f90ec201144d63d25395d0040a71df146

SHA512
dc4747076aedc818553fd1ed603ce04849f94c962d8bf88f5de21a81940436234b4e3f6625c638ae311cabd7e3b389f9021a9fadb4bb32896338e79deb23e233

Download Submit
C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat

Filesize
210B

MD5
9d93da2e451943ac0e660e12b12e9182

SHA1
b03f5b0a7ae261d85b3060fa169ea52aa5950fdb

SHA256
45de8d16c9ce6b5d6baaa800ed6f1b607199865cd9af30a543e08346e38358fc

SHA512
c48158c796ef8086bc636961b5b04d1fc5802aafc5ea8ee884d430d8eec89c9238d8a5a7becd9dbd5e50ff981b17b42c8e63299298544261257717f61afaa185

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rhkc0SdEF2.bat

Filesize
210B

MD5
04abb34e7309a42967e2376dfd8c00e8

SHA1
9511e512e8c16fbf32aa36236f8571f18fdd92c8

SHA256
f6187fc70bdb2519c69c229b4f402b2e1c69d2988912db821f48891666656b01

SHA512
56afe0eda389e6aff1d2d40188aef7e551db857e93662ce909e62042aa99a45cff175fce57b8d4e594164ed0d935f5f3271227545e90d94f07959da0401e95db

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat

Filesize
210B

MD5
982c7ce20c4432019dc010783e6c5dbb

SHA1
495ea01c4a63757676400f593c7fdd9c97d1f94e

SHA256
3af3bbe9a167d9f8d47cc75feb8f43358a103e170ddf2f4af57c4321295b2f27

SHA512
4a74b8392bed7a8b149e008a64897b356ab5289d27c8c036d44a1d550dd6c4a801cd677758328a540a951566066c962b2f9f9373f705d6add3d1ddf6908f2525

Download Submit
C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat

Filesize
210B

MD5
18eb5d6c659411114829f2d2b47f8882

SHA1
b77625afb8d6d7151cdbf509e57d6e9111b0ad44

SHA256
c2701b366b0a4b805ef0002d7c689df61b093f17a69d5c2b0dcb3940b1c32b07

SHA512
116d95cc61b2878963c999d363ca9cdc36adba94455a938622f617a049485921256d4e62b86c2488dbb59fc9281124cca27a1fe15c80b2b9a5e8c1ff094da26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat

Filesize
210B

MD5
f2a554d74a93746de22a8383a7ac0a28

SHA1
4236a714222205f2667abec506f8cf1bc4d683ff

SHA256
b3c5d141810af294e3358af4df692b03ad4c8b25072b232a314cf4c35e16bc2a

SHA512
d6727ff9383acea13a305b80e97f3872f0731ebd6c93903195e587bc2ec3e97c2f0108eb2e0f6b80a9d99356d786033c410d4ef0a6abc3bfa39fd4594ad91198

Download Submit
C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat

Filesize
210B

MD5
4c9bc6e1d8fe51afe37c3f489ad52cda

SHA1
1f53fdbaca381a72cce7cc8ca64944cda08971cd

SHA256
c1a51e17781f51075db487edc9d875ddb97e0f7fa72e92d2615e1aacb33309d6

SHA512
4145c01c0f1f32427311ad15081a7148776b26c93e7a17922109bd63bfacc1d0213ba42e0841136a5a7ae8ee2b53e993eb3a11288e2f42df3bbfa7d3770f3d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat

Filesize
210B

MD5
95fe3041a9806cae6859527870cfafd0

SHA1
fa6f5d3d386b46c80140be944b58dc81ef5c18ae

SHA256
3194ccffa3a8d68621e6efc3ed4ed50f0b20151b559ca643b9ea969d46246d3e

SHA512
292a0b07302704a862ffd42127f4fc228dec86bf658c252647be89cc9c6518f7165d460e9eeb10df6e4e26f90e78fb0960fb3b5b5a78f407c9a42a87ee5343dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

Filesize
210B

MD5
4cb99f2fc6495f015325263084101262

SHA1
8668bdb439439c0bc1769372cefab4322b71fcd2

SHA256
1fd3b70205f679a309edc10d9ecd0819700600f45461889dd365df7f7b5c2a08

SHA512
fd1d2e207d01d23c8ffee2678a9f6aff97ac90458b471990d5e03e30af9e7e939203de40fa5f2c9131b0238102245909b70fe7339bbd995950809e29627c1366

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

Filesize
210B

MD5
4cb99f2fc6495f015325263084101262

SHA1
8668bdb439439c0bc1769372cefab4322b71fcd2

SHA256
1fd3b70205f679a309edc10d9ecd0819700600f45461889dd365df7f7b5c2a08

SHA512
fd1d2e207d01d23c8ffee2678a9f6aff97ac90458b471990d5e03e30af9e7e939203de40fa5f2c9131b0238102245909b70fe7339bbd995950809e29627c1366

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/364-1089-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

Filesize
72KB

Download
memory/400-181-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/400-182-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-284-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

Filesize
48KB

Download
memory/1724-286-0x0000000000CC0000-0x0000000000CCC000-memory.dmp

Filesize
48KB

Download
memory/1724-285-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/1724-283-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/1724-282-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/1856-1071-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/1968-155-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-166-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-159-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-161-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-179-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-178-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-177-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-176-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-175-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-174-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-163-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-117-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-173-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-164-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-118-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-172-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-158-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-157-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-171-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-156-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-119-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-116-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-165-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-170-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-162-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-121-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-122-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-154-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-124-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-169-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-125-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-153-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-126-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-168-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-152-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-151-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-150-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-160-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-148-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-149-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-147-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-146-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-145-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-144-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-143-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-142-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-141-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-140-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-139-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-138-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-137-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-136-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-134-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-135-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-133-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-132-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-131-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-130-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-129-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-128-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-127-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/1968-167-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/2816-382-0x000002905BCB0000-0x000002905BD26000-memory.dmp

Filesize
472KB

Download
memory/2816-377-0x0000029043AB0000-0x0000029043AD2000-memory.dmp

Filesize
136KB

Download
memory/4484-1105-0x00000000010E0000-0x00000000010F2000-memory.dmp

Filesize
72KB

Download
memory/4776-1077-0x00000000009D0000-0x00000000009E2000-memory.dmp

Filesize
72KB

Download
memory/5072-1083-0x0000000002F30000-0x0000000002F42000-memory.dmp

Filesize
72KB

Download
memory/5332-761-0x0000000000E70000-0x0000000000E82000-memory.dmp

Filesize
72KB

Download
memory/5560-1055-0x0000000001170000-0x0000000001182000-memory.dmp

Filesize
72KB

Download