dcrat | cf1e69de8fe86f1b92d0a0115cbb2b68fec579cb8c89198ceb2b3555266c7d43

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf1e69de8fe86f1b92d0a0115cbb2b68fec579cb8c89198ceb2b3555266c7d43.exe
Size

1.3MB
MD5

4146b8cc6554b78bbd406366087916e9
SHA1

1f151edbd596c574e25bd87e1ffdf72d5d6246ae
SHA256

cf1e69de8fe86f1b92d0a0115cbb2b68fec579cb8c89198ceb2b3555266c7d43
SHA512

122dbf17d7adeee1d6993e7b72f38498fb12101b0cde7d475daf849d0f53ea1618d3341cacc05164caab955fe3b17f0df43877ec9d82f31af2888553dca59502
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	260	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	4360	schtasks.exe	19
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	4360	schtasks.exe	19

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000300000001e64d-137.dat	dcrat
behavioral1/files/0x000300000001e64d-138.dat	dcrat
behavioral1/memory/4744-139-0x0000000000B00000-0x0000000000C10000-memory.dmp	dcrat
behavioral1/files/0x0006000000022e40-164.dat	dcrat
behavioral1/files/0x0006000000022e40-163.dat	dcrat
behavioral1/files/0x0006000000022e40-224.dat	dcrat
behavioral1/files/0x0006000000022e40-232.dat	dcrat
behavioral1/files/0x0006000000022e40-239.dat	dcrat
behavioral1/files/0x0006000000022e40-246.dat	dcrat
behavioral1/files/0x0006000000022e40-253.dat	dcrat
behavioral1/files/0x0006000000022e40-260.dat	dcrat
behavioral1/files/0x0006000000022e40-267.dat	dcrat
behavioral1/files/0x0006000000022e40-274.dat	dcrat
behavioral1/files/0x0006000000022e40-281.dat	dcrat
behavioral1/files/0x0006000000022e40-288.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
4744	DllCommonsvc.exe
3028	fontdrvhost.exe
5752	fontdrvhost.exe
3776	fontdrvhost.exe
3656	fontdrvhost.exe
5220	fontdrvhost.exe
3164	fontdrvhost.exe
3932	fontdrvhost.exe
1204	fontdrvhost.exe
1296	fontdrvhost.exe
2016	fontdrvhost.exe
4420	fontdrvhost.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cf1e69de8fe86f1b92d0a0115cbb2b68fec579cb8c89198ceb2b3555266c7d43.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files\Common Files\microsoft shared\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logs\DISM\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Logs\DISM\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1936	schtasks.exe
860	schtasks.exe
3380	schtasks.exe
4288	schtasks.exe
4380	schtasks.exe
3776	schtasks.exe
4432	schtasks.exe
4340	schtasks.exe
224	schtasks.exe
548	schtasks.exe
1372	schtasks.exe
1564	schtasks.exe
4112	schtasks.exe
2944	schtasks.exe
4344	schtasks.exe
4568	schtasks.exe
1444	schtasks.exe
808	schtasks.exe
960	schtasks.exe
4996	schtasks.exe
4516	schtasks.exe
4560	schtasks.exe
4400	schtasks.exe
3388	schtasks.exe
320	schtasks.exe
4984	schtasks.exe
3604	schtasks.exe
1852	schtasks.exe
5028	schtasks.exe
1796	schtasks.exe
4252	schtasks.exe
2432	schtasks.exe
544	schtasks.exe
4420	schtasks.exe
4448	schtasks.exe
796	schtasks.exe
1960	schtasks.exe
332	schtasks.exe
260	schtasks.exe
1784	schtasks.exe
3460	schtasks.exe
2504	schtasks.exe
4276	schtasks.exe
1888	schtasks.exe
2136	schtasks.exe
3132	schtasks.exe
1720	schtasks.exe
4232	schtasks.exe
3096	schtasks.exe
2680	schtasks.exe
4536	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cf1e69de8fe86f1b92d0a0115cbb2b68fec579cb8c89198ceb2b3555266c7d43.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4744	DllCommonsvc.exe
4744	DllCommonsvc.exe
4744	DllCommonsvc.exe
4744	DllCommonsvc.exe
4744	DllCommonsvc.exe
4744	DllCommonsvc.exe
4744	DllCommonsvc.exe
4744	DllCommonsvc.exe
4744	DllCommonsvc.exe
1640	powershell.exe
1640	powershell.exe
1932	powershell.exe
1932	powershell.exe
1560	powershell.exe
1560	powershell.exe
2360	powershell.exe
2360	powershell.exe
4548	powershell.exe
4548	powershell.exe
3528	powershell.exe
3528	powershell.exe
2980	powershell.exe
2980	powershell.exe
5096	powershell.exe
5104	powershell.exe
5096	powershell.exe
5104	powershell.exe
2052	powershell.exe
2052	powershell.exe
2420	powershell.exe
2420	powershell.exe
4180	powershell.exe
4180	powershell.exe
3952	powershell.exe
3952	powershell.exe
4760	powershell.exe
4760	powershell.exe
2748	powershell.exe
2748	powershell.exe
4784	powershell.exe
4784	powershell.exe
1032	powershell.exe
1032	powershell.exe
1504	powershell.exe
1504	powershell.exe
3028	fontdrvhost.exe
3028	fontdrvhost.exe
1932	powershell.exe
1932	powershell.exe
1640	powershell.exe
1640	powershell.exe
1560	powershell.exe
1560	powershell.exe
4548	powershell.exe
4548	powershell.exe
2360	powershell.exe
2360	powershell.exe
3528	powershell.exe
2980	powershell.exe
5096	powershell.exe
2052	powershell.exe
5104	powershell.exe
2420	powershell.exe
4180	powershell.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	DllCommonsvc.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	3028	fontdrvhost.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	5752	fontdrvhost.exe
Token: SeDebugPrivilege	3776	fontdrvhost.exe
Token: SeDebugPrivilege	3656	fontdrvhost.exe
Token: SeDebugPrivilege	5220	fontdrvhost.exe
Token: SeDebugPrivilege	3164	fontdrvhost.exe
Token: SeDebugPrivilege	3932	fontdrvhost.exe
Token: SeDebugPrivilege	1204	fontdrvhost.exe
Token: SeDebugPrivilege	1296	fontdrvhost.exe
Token: SeDebugPrivilege	2016	fontdrvhost.exe
Token: SeDebugPrivilege	4420	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 1760	1572	cf1e69de8fe86f1b92d0a0115cbb2b68fec579cb8c89198ceb2b3555266c7d43.exe	81
PID 1572 wrote to memory of 1760	1572	cf1e69de8fe86f1b92d0a0115cbb2b68fec579cb8c89198ceb2b3555266c7d43.exe	81
PID 1572 wrote to memory of 1760	1572	cf1e69de8fe86f1b92d0a0115cbb2b68fec579cb8c89198ceb2b3555266c7d43.exe	81
PID 1760 wrote to memory of 1264	1760	WScript.exe	82
PID 1760 wrote to memory of 1264	1760	WScript.exe	82
PID 1760 wrote to memory of 1264	1760	WScript.exe	82
PID 1264 wrote to memory of 4744	1264	cmd.exe	84
PID 1264 wrote to memory of 4744	1264	cmd.exe	84
PID 4744 wrote to memory of 5096	4744	DllCommonsvc.exe	136
PID 4744 wrote to memory of 5096	4744	DllCommonsvc.exe	136
PID 4744 wrote to memory of 1640	4744	DllCommonsvc.exe	137
PID 4744 wrote to memory of 1640	4744	DllCommonsvc.exe	137
PID 4744 wrote to memory of 1560	4744	DllCommonsvc.exe	139
PID 4744 wrote to memory of 1560	4744	DllCommonsvc.exe	139
PID 4744 wrote to memory of 2360	4744	DllCommonsvc.exe	140
PID 4744 wrote to memory of 2360	4744	DllCommonsvc.exe	140
PID 4744 wrote to memory of 1932	4744	DllCommonsvc.exe	141
PID 4744 wrote to memory of 1932	4744	DllCommonsvc.exe	141
PID 4744 wrote to memory of 3528	4744	DllCommonsvc.exe	142
PID 4744 wrote to memory of 3528	4744	DllCommonsvc.exe	142
PID 4744 wrote to memory of 4548	4744	DllCommonsvc.exe	169
PID 4744 wrote to memory of 4548	4744	DllCommonsvc.exe	169
PID 4744 wrote to memory of 2980	4744	DllCommonsvc.exe	144
PID 4744 wrote to memory of 2980	4744	DllCommonsvc.exe	144
PID 4744 wrote to memory of 5104	4744	DllCommonsvc.exe	145
PID 4744 wrote to memory of 5104	4744	DllCommonsvc.exe	145
PID 4744 wrote to memory of 2052	4744	DllCommonsvc.exe	165
PID 4744 wrote to memory of 2052	4744	DllCommonsvc.exe	165
PID 4744 wrote to memory of 2420	4744	DllCommonsvc.exe	147
PID 4744 wrote to memory of 2420	4744	DllCommonsvc.exe	147
PID 4744 wrote to memory of 4760	4744	DllCommonsvc.exe	163
PID 4744 wrote to memory of 4760	4744	DllCommonsvc.exe	163
PID 4744 wrote to memory of 3952	4744	DllCommonsvc.exe	149
PID 4744 wrote to memory of 3952	4744	DllCommonsvc.exe	149
PID 4744 wrote to memory of 2748	4744	DllCommonsvc.exe	160
PID 4744 wrote to memory of 2748	4744	DllCommonsvc.exe	160
PID 4744 wrote to memory of 4180	4744	DllCommonsvc.exe	150
PID 4744 wrote to memory of 4180	4744	DllCommonsvc.exe	150
PID 4744 wrote to memory of 4784	4744	DllCommonsvc.exe	157
PID 4744 wrote to memory of 4784	4744	DllCommonsvc.exe	157
PID 4744 wrote to memory of 1504	4744	DllCommonsvc.exe	152
PID 4744 wrote to memory of 1504	4744	DllCommonsvc.exe	152
PID 4744 wrote to memory of 1032	4744	DllCommonsvc.exe	153
PID 4744 wrote to memory of 1032	4744	DllCommonsvc.exe	153
PID 4744 wrote to memory of 3028	4744	DllCommonsvc.exe	172
PID 4744 wrote to memory of 3028	4744	DllCommonsvc.exe	172
PID 3028 wrote to memory of 5420	3028	fontdrvhost.exe	175
PID 3028 wrote to memory of 5420	3028	fontdrvhost.exe	175
PID 5420 wrote to memory of 5476	5420	cmd.exe	174
PID 5420 wrote to memory of 5476	5420	cmd.exe	174
PID 5420 wrote to memory of 5752	5420	cmd.exe	180
PID 5420 wrote to memory of 5752	5420	cmd.exe	180
PID 5752 wrote to memory of 6076	5752	fontdrvhost.exe	184
PID 5752 wrote to memory of 6076	5752	fontdrvhost.exe	184
PID 6076 wrote to memory of 6136	6076	cmd.exe	186
PID 6076 wrote to memory of 6136	6076	cmd.exe	186
PID 6076 wrote to memory of 3776	6076	cmd.exe	187
PID 6076 wrote to memory of 3776	6076	cmd.exe	187
PID 3776 wrote to memory of 1148	3776	fontdrvhost.exe	188
PID 3776 wrote to memory of 1148	3776	fontdrvhost.exe	188
PID 1148 wrote to memory of 708	1148	cmd.exe	190
PID 1148 wrote to memory of 708	1148	cmd.exe	190
PID 1148 wrote to memory of 3656	1148	cmd.exe	191
PID 1148 wrote to memory of 3656	1148	cmd.exe	191

C:\Users\Admin\AppData\Local\Temp\cf1e69de8fe86f1b92d0a0115cbb2b68fec579cb8c89198ceb2b3555266c7d43.exe
"C:\Users\Admin\AppData\Local\Temp\cf1e69de8fe86f1b92d0a0115cbb2b68fec579cb8c89198ceb2b3555266c7d43.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Oracle\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\DISM\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\WmiPrvSE.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\StartMenuExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4548
    - - C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5420
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:6076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:6136
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:708
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat"
        12⤵
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4656
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"
        14⤵
        
        PID:5060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:544
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe"
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat"
        16⤵
        
        PID:3332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1960
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat"
        18⤵
        
        PID:3272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4112
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe"
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat"
        20⤵
        
        PID:2360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3424
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe"
        21⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"
        22⤵
        
        PID:2420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4568
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe"
        23⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"
        24⤵
        
        PID:2856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2876
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Oracle\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Oracle\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\providercommon\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\microsoft shared\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\DISM\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Logs\DISM\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\DISM\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\odt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:5476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat

Filesize
227B

MD5
64707d5c528078dc1bb60faf7239f04c

SHA1
fa56f020e6606ffa1b7dda4e92bc678cc73a843f

SHA256
396cb1ae6a3b698afada76e90ec0dcb38632c5c3fd38e9d7a3b1f20c35c359f7

SHA512
da610b8051be4fbd5f3ff3d30672c951e1d10c8818d6b92e6a360e3e742475988bd168618da1fdf6a5518e5a059be8d5fb46856cfca7df6580102b8aa793b759

Download Submit
C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat

Filesize
227B

MD5
64707d5c528078dc1bb60faf7239f04c

SHA1
fa56f020e6606ffa1b7dda4e92bc678cc73a843f

SHA256
396cb1ae6a3b698afada76e90ec0dcb38632c5c3fd38e9d7a3b1f20c35c359f7

SHA512
da610b8051be4fbd5f3ff3d30672c951e1d10c8818d6b92e6a360e3e742475988bd168618da1fdf6a5518e5a059be8d5fb46856cfca7df6580102b8aa793b759

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat

Filesize
227B

MD5
92b8d9c005a601f1aedd2943b51071b9

SHA1
5fc137e312b5d252dc4b21b93366f5f2941e80f7

SHA256
2965b00829c7ee7bd1fe6d3c698564ba8711ccd07eea84626f9667914abaa136

SHA512
b18e8dd478746a2c94a29818d31a43b9d0f05ba7a28469b13c299cf770971d4286464b2bf5a8f543f1f47c22077db3518e723d4134002cc54762f956cb7d5f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat

Filesize
227B

MD5
46adcf0dbf245b01b96929611ba97d77

SHA1
664f31b8c4d6a2ffe9cd037ce90d3df55848cfa7

SHA256
95eb359197ff74614612c0466a6b95e89d769c90c36593faf7dbbae46dd9570b

SHA512
a818ceea8b822d2f1721718131b7b27920dca83b3789d22b5a590116251abcc6230f3952b18fddb0fc66e16e24ec4d74e4dd09bc7a9a334ddeb250b901a09f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat

Filesize
227B

MD5
c377ba8740a31a165bd70f5210c4b6db

SHA1
8e6e6afe858762358139fe10e9f218fa62562476

SHA256
d1c7589ef1528bf631d9f293b81a4d762a449408c490be71d37bdb3eb1352c1f

SHA512
0a31d1f5d18c0f4ab1e9b8b7a15e196a3616fd6cb5882c25043be6f41a65af149927906c50904feaed9cd1513a9af12aeffbd93370f01dd4865ad143d19ed944

Download Submit
C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat

Filesize
227B

MD5
39efd4c288d2c7dc68bccfa5f3d2feec

SHA1
7a40a1ff32e131f5af50dca0e7660881f53210cd

SHA256
d4fd759638d729d7257a9b9f0c97e9024d84fbea797f57422e11784fd4053a24

SHA512
a94c4d3122b18efc32ea847986489f899cf3e2e3a12c8bf4de76bda20432081e2a6799cda0fc66af411965f23c009ac130043d0c4e2025710e52e7e9d093841a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat

Filesize
227B

MD5
c7de9872895aee49d797c21e56f0cc2b

SHA1
2bab52d3da6b06a94c93a518d642d2409d65c462

SHA256
3b0d98dfff95ba9e09483a9709fe11d380c12226da47d1fa8e274cc9ff97e781

SHA512
92b406dfd25222258a7cdad37895f831e1151a17adf5a6b2431282df54711aba3c5c6d392812cc3cac12459fcd82ba5a1c59d39681178181820e7b15c5189306

Download Submit
C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat

Filesize
227B

MD5
22fbb3f4573611544715014c7c939428

SHA1
9a6d75fbbe0744dc364b35ceea308b42dbab2de2

SHA256
1843d73d4fc8f95640936f2884f9922b4f1e53ff750082fa855be9edfd0868fa

SHA512
5824e16dc664df9bc9f761b439f6eed0c9568ea2936041fc5986788be50f0d46baf342e1024a9ed11de3959981e207a5096295b0e19c34988c628f73525269e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat

Filesize
227B

MD5
97f03ef4bc6f94965479b8b1d68bac02

SHA1
1f6fd437fb2bedca2ae3aae1803dadfe6798af58

SHA256
a984b2331055e13d1bf74c8330803531cf3964c92d99fbe6fef51465ef951c3c

SHA512
7ac67120645d2c9c7f7d1e3310656705d2cba1d29d04d25a1a1bea22df1f21714599e2876f0a73fe40f295cb8dda959ef04abd1b3b1d7434184a19b18a64c266

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat

Filesize
227B

MD5
868e09f98253195e985e7f6e604c80f6

SHA1
a4f49b83054fc314f7458289d114449e720e1314

SHA256
86feb81e63515d92f5bc22cbd97737065a30acfca2e2b0f9ca7e79a3db700fa5

SHA512
8698a55434d20d6ddc9733eebaaa5a2a72fcabe99565ca06ae1a0226ab7faa045b8ede5ab33b304fc6d35b392f18a9f0df791a4a90a8d517c4dd9b38ff29064d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1032-216-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/1032-178-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/1204-272-0x00007FFD0AAC0000-0x00007FFD0B581000-memory.dmp

Filesize
10.8MB

Download
memory/1204-268-0x00007FFD0AAC0000-0x00007FFD0B581000-memory.dmp

Filesize
10.8MB

Download
memory/1296-275-0x00007FFD0AAC0000-0x00007FFD0B581000-memory.dmp

Filesize
10.8MB

Download
memory/1296-279-0x00007FFD0AAC0000-0x00007FFD0B581000-memory.dmp

Filesize
10.8MB

Download
memory/1504-215-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/1504-179-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/1560-189-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/1560-162-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/1640-159-0x0000019925B40000-0x0000019925B62000-memory.dmp

Filesize
136KB

Download
memory/1640-185-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/1640-160-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/1932-186-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/1932-167-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/2016-286-0x00007FFD0AAC0000-0x00007FFD0B581000-memory.dmp

Filesize
10.8MB

Download
memory/2016-282-0x00007FFD0AAC0000-0x00007FFD0B581000-memory.dmp

Filesize
10.8MB

Download
memory/2052-218-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/2052-173-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/2360-205-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/2360-165-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/2420-174-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/2420-210-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/2748-207-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/2748-176-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/2980-204-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/2980-170-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/3028-222-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/3028-182-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/3164-258-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/3164-254-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/3528-169-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/3528-201-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/3656-240-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/3656-244-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/3776-237-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/3776-233-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/3932-261-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/3932-265-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/3952-212-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/3952-180-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/4180-177-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/4180-200-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/4420-289-0x00007FFD0AAC0000-0x00007FFD0B581000-memory.dmp

Filesize
10.8MB

Download
memory/4548-168-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/4548-190-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/4744-166-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/4744-140-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/4744-139-0x0000000000B00000-0x0000000000C10000-memory.dmp

Filesize
1.1MB

Download
memory/4760-175-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/4760-209-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/4784-181-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/4784-211-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/5096-202-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/5096-171-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/5104-172-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/5104-206-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/5220-247-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/5220-251-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/5752-226-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download
memory/5752-230-0x00007FFD0A5D0000-0x00007FFD0B091000-memory.dmp

Filesize
10.8MB

Download