dcrat | 74923c5d4bbc06b927e307c7685ba04375ccde9a565da6be0f0bd2b8dc167247

Analysis

max time kernel
146s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74923c5d4bbc06b927e307c7685ba04375ccde9a565da6be0f0bd2b8dc167247.exe
Size

1.3MB
MD5

529a45efc155aaa872854d4c33effc8c
SHA1

48cee4c8a3cd4009aeb3c3e072e08427c1b88715
SHA256

74923c5d4bbc06b927e307c7685ba04375ccde9a565da6be0f0bd2b8dc167247
SHA512

e04c122507b00a93e9f30884c927ac5f71f2a50cc136c4bcd505a36e80ff86f1be6fd3a9e0a3d3c757f01cf815d6e81c2007463c78ab8a5b358cf5d44558843f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	188	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	196	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2280	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2280	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac0e-283.dat	dcrat
behavioral1/files/0x000800000001ac0e-284.dat	dcrat
behavioral1/memory/4772-285-0x0000000000410000-0x0000000000520000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac23-360.dat	dcrat
behavioral1/files/0x000600000001ac23-359.dat	dcrat
behavioral1/files/0x000600000001ac23-894.dat	dcrat
behavioral1/files/0x000600000001ac23-900.dat	dcrat
behavioral1/files/0x000600000001ac23-905.dat	dcrat
behavioral1/files/0x000600000001ac23-911.dat	dcrat
behavioral1/files/0x000600000001ac23-917.dat	dcrat
behavioral1/files/0x000600000001ac23-922.dat	dcrat
behavioral1/files/0x000600000001ac23-927.dat	dcrat
behavioral1/files/0x000600000001ac23-933.dat	dcrat
behavioral1/files/0x000600000001ac23-939.dat	dcrat
behavioral1/files/0x000600000001ac23-944.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
4772	DllCommonsvc.exe
4592	ShellExperienceHost.exe
5804	ShellExperienceHost.exe
5956	ShellExperienceHost.exe
6128	ShellExperienceHost.exe
5376	ShellExperienceHost.exe
5324	ShellExperienceHost.exe
592	ShellExperienceHost.exe
512	ShellExperienceHost.exe
3156	ShellExperienceHost.exe
5404	ShellExperienceHost.exe
6024	ShellExperienceHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\088424020bedd6	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\IME\it-IT\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\IME\it-IT\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\security\cap\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\security\cap\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\IME\it-IT\sppsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4356	schtasks.exe
4656	schtasks.exe
1604	schtasks.exe
1436	schtasks.exe
4332	schtasks.exe
3168	schtasks.exe
860	schtasks.exe
4624	schtasks.exe
4632	schtasks.exe
4544	schtasks.exe
4592	schtasks.exe
4644	schtasks.exe
4380	schtasks.exe
5012	schtasks.exe
4612	schtasks.exe
2136	schtasks.exe
1620	schtasks.exe
188	schtasks.exe
4672	schtasks.exe
4432	schtasks.exe
1424	schtasks.exe
1052	schtasks.exe
3116	schtasks.exe
2776	schtasks.exe
5020	schtasks.exe
3708	schtasks.exe
4484	schtasks.exe
816	schtasks.exe
844	schtasks.exe
196	schtasks.exe
2404	schtasks.exe
2172	schtasks.exe
5064	schtasks.exe
4668	schtasks.exe
1872	schtasks.exe
944	schtasks.exe
908	schtasks.exe
1944	schtasks.exe
3256	schtasks.exe
1192	schtasks.exe
3652	schtasks.exe
4368	schtasks.exe
4344	schtasks.exe
748	schtasks.exe
2904	schtasks.exe
4532	schtasks.exe
2268	schtasks.exe
656	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	74923c5d4bbc06b927e307c7685ba04375ccde9a565da6be0f0bd2b8dc167247.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4772	DllCommonsvc.exe
4772	DllCommonsvc.exe
4772	DllCommonsvc.exe
4772	DllCommonsvc.exe
4772	DllCommonsvc.exe
4772	DllCommonsvc.exe
4772	DllCommonsvc.exe
4772	DllCommonsvc.exe
4772	DllCommonsvc.exe
4772	DllCommonsvc.exe
4772	DllCommonsvc.exe
4772	DllCommonsvc.exe
4772	DllCommonsvc.exe
4772	DllCommonsvc.exe
4772	DllCommonsvc.exe
2712	powershell.exe
2700	powershell.exe
2700	powershell.exe
2712	powershell.exe
3784	powershell.exe
3784	powershell.exe
2504	powershell.exe
2504	powershell.exe
1008	powershell.exe
4732	powershell.exe
4732	powershell.exe
1008	powershell.exe
2716	powershell.exe
2716	powershell.exe
3768	powershell.exe
3768	powershell.exe
2188	powershell.exe
2188	powershell.exe
4468	powershell.exe
4468	powershell.exe
4100	powershell.exe
4100	powershell.exe
1984	powershell.exe
1984	powershell.exe
4844	powershell.exe
4844	powershell.exe
4248	powershell.exe
4248	powershell.exe
1008	powershell.exe
4860	powershell.exe
4860	powershell.exe
4252	powershell.exe
4252	powershell.exe
3768	powershell.exe
4468	powershell.exe
5084	powershell.exe
5084	powershell.exe
4592	ShellExperienceHost.exe
4592	ShellExperienceHost.exe
2716	powershell.exe
2700	powershell.exe
2700	powershell.exe
2712	powershell.exe
2712	powershell.exe
1008	powershell.exe
2504	powershell.exe
3784	powershell.exe
4252	powershell.exe
4732	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	DllCommonsvc.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeDebugPrivilege	4592	ShellExperienceHost.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeIncreaseQuotaPrivilege	3768	powershell.exe
Token: SeSecurityPrivilege	3768	powershell.exe
Token: SeTakeOwnershipPrivilege	3768	powershell.exe
Token: SeLoadDriverPrivilege	3768	powershell.exe
Token: SeSystemProfilePrivilege	3768	powershell.exe
Token: SeSystemtimePrivilege	3768	powershell.exe
Token: SeProfSingleProcessPrivilege	3768	powershell.exe
Token: SeIncBasePriorityPrivilege	3768	powershell.exe
Token: SeCreatePagefilePrivilege	3768	powershell.exe
Token: SeBackupPrivilege	3768	powershell.exe
Token: SeRestorePrivilege	3768	powershell.exe
Token: SeShutdownPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeSystemEnvironmentPrivilege	3768	powershell.exe
Token: SeRemoteShutdownPrivilege	3768	powershell.exe
Token: SeUndockPrivilege	3768	powershell.exe
Token: SeManageVolumePrivilege	3768	powershell.exe
Token: 33	3768	powershell.exe
Token: 34	3768	powershell.exe
Token: 35	3768	powershell.exe
Token: 36	3768	powershell.exe
Token: SeIncreaseQuotaPrivilege	1008	powershell.exe
Token: SeSecurityPrivilege	1008	powershell.exe
Token: SeTakeOwnershipPrivilege	1008	powershell.exe
Token: SeLoadDriverPrivilege	1008	powershell.exe
Token: SeSystemProfilePrivilege	1008	powershell.exe
Token: SeSystemtimePrivilege	1008	powershell.exe
Token: SeProfSingleProcessPrivilege	1008	powershell.exe
Token: SeIncBasePriorityPrivilege	1008	powershell.exe
Token: SeCreatePagefilePrivilege	1008	powershell.exe
Token: SeBackupPrivilege	1008	powershell.exe
Token: SeRestorePrivilege	1008	powershell.exe
Token: SeShutdownPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeSystemEnvironmentPrivilege	1008	powershell.exe
Token: SeRemoteShutdownPrivilege	1008	powershell.exe
Token: SeUndockPrivilege	1008	powershell.exe
Token: SeManageVolumePrivilege	1008	powershell.exe
Token: 33	1008	powershell.exe
Token: 34	1008	powershell.exe
Token: 35	1008	powershell.exe
Token: 36	1008	powershell.exe
Token: SeIncreaseQuotaPrivilege	4468	powershell.exe
Token: SeSecurityPrivilege	4468	powershell.exe
Token: SeTakeOwnershipPrivilege	4468	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 5028	3468	74923c5d4bbc06b927e307c7685ba04375ccde9a565da6be0f0bd2b8dc167247.exe	66
PID 3468 wrote to memory of 5028	3468	74923c5d4bbc06b927e307c7685ba04375ccde9a565da6be0f0bd2b8dc167247.exe	66
PID 3468 wrote to memory of 5028	3468	74923c5d4bbc06b927e307c7685ba04375ccde9a565da6be0f0bd2b8dc167247.exe	66
PID 5028 wrote to memory of 3556	5028	WScript.exe	67
PID 5028 wrote to memory of 3556	5028	WScript.exe	67
PID 5028 wrote to memory of 3556	5028	WScript.exe	67
PID 3556 wrote to memory of 4772	3556	cmd.exe	69
PID 3556 wrote to memory of 4772	3556	cmd.exe	69
PID 4772 wrote to memory of 2716	4772	DllCommonsvc.exe	119
PID 4772 wrote to memory of 2716	4772	DllCommonsvc.exe	119
PID 4772 wrote to memory of 2700	4772	DllCommonsvc.exe	121
PID 4772 wrote to memory of 2700	4772	DllCommonsvc.exe	121
PID 4772 wrote to memory of 2712	4772	DllCommonsvc.exe	123
PID 4772 wrote to memory of 2712	4772	DllCommonsvc.exe	123
PID 4772 wrote to memory of 2504	4772	DllCommonsvc.exe	134
PID 4772 wrote to memory of 2504	4772	DllCommonsvc.exe	134
PID 4772 wrote to memory of 3784	4772	DllCommonsvc.exe	133
PID 4772 wrote to memory of 3784	4772	DllCommonsvc.exe	133
PID 4772 wrote to memory of 1008	4772	DllCommonsvc.exe	126
PID 4772 wrote to memory of 1008	4772	DllCommonsvc.exe	126
PID 4772 wrote to memory of 4732	4772	DllCommonsvc.exe	127
PID 4772 wrote to memory of 4732	4772	DllCommonsvc.exe	127
PID 4772 wrote to memory of 4468	4772	DllCommonsvc.exe	131
PID 4772 wrote to memory of 4468	4772	DllCommonsvc.exe	131
PID 4772 wrote to memory of 2188	4772	DllCommonsvc.exe	129
PID 4772 wrote to memory of 2188	4772	DllCommonsvc.exe	129
PID 4772 wrote to memory of 3768	4772	DllCommonsvc.exe	135
PID 4772 wrote to memory of 3768	4772	DllCommonsvc.exe	135
PID 4772 wrote to memory of 4100	4772	DllCommonsvc.exe	136
PID 4772 wrote to memory of 4100	4772	DllCommonsvc.exe	136
PID 4772 wrote to memory of 4844	4772	DllCommonsvc.exe	137
PID 4772 wrote to memory of 4844	4772	DllCommonsvc.exe	137
PID 4772 wrote to memory of 1984	4772	DllCommonsvc.exe	150
PID 4772 wrote to memory of 1984	4772	DllCommonsvc.exe	150
PID 4772 wrote to memory of 4248	4772	DllCommonsvc.exe	138
PID 4772 wrote to memory of 4248	4772	DllCommonsvc.exe	138
PID 4772 wrote to memory of 4860	4772	DllCommonsvc.exe	139
PID 4772 wrote to memory of 4860	4772	DllCommonsvc.exe	139
PID 4772 wrote to memory of 4252	4772	DllCommonsvc.exe	141
PID 4772 wrote to memory of 4252	4772	DllCommonsvc.exe	141
PID 4772 wrote to memory of 5084	4772	DllCommonsvc.exe	143
PID 4772 wrote to memory of 5084	4772	DllCommonsvc.exe	143
PID 4772 wrote to memory of 4592	4772	DllCommonsvc.exe	146
PID 4772 wrote to memory of 4592	4772	DllCommonsvc.exe	146
PID 4592 wrote to memory of 5776	4592	ShellExperienceHost.exe	155
PID 4592 wrote to memory of 5776	4592	ShellExperienceHost.exe	155
PID 5776 wrote to memory of 5216	5776	cmd.exe	157
PID 5776 wrote to memory of 5216	5776	cmd.exe	157
PID 5776 wrote to memory of 5804	5776	cmd.exe	158
PID 5776 wrote to memory of 5804	5776	cmd.exe	158
PID 5804 wrote to memory of 5944	5804	ShellExperienceHost.exe	159
PID 5804 wrote to memory of 5944	5804	ShellExperienceHost.exe	159
PID 5944 wrote to memory of 676	5944	cmd.exe	161
PID 5944 wrote to memory of 676	5944	cmd.exe	161
PID 5944 wrote to memory of 5956	5944	cmd.exe	162
PID 5944 wrote to memory of 5956	5944	cmd.exe	162
PID 5956 wrote to memory of 6004	5956	ShellExperienceHost.exe	163
PID 5956 wrote to memory of 6004	5956	ShellExperienceHost.exe	163
PID 6004 wrote to memory of 6092	6004	cmd.exe	165
PID 6004 wrote to memory of 6092	6004	cmd.exe	165
PID 6004 wrote to memory of 6128	6004	cmd.exe	166
PID 6004 wrote to memory of 6128	6004	cmd.exe	166
PID 6128 wrote to memory of 5160	6128	ShellExperienceHost.exe	167
PID 6128 wrote to memory of 5160	6128	ShellExperienceHost.exe	167

C:\Users\Admin\AppData\Local\Temp\74923c5d4bbc06b927e307c7685ba04375ccde9a565da6be0f0bd2b8dc167247.exe
"C:\Users\Admin\AppData\Local\Temp\74923c5d4bbc06b927e307c7685ba04375ccde9a565da6be0f0bd2b8dc167247.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\it-IT\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\cap\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
    - - C:\providercommon\ShellExperienceHost.exe
        
        "C:\providercommon\ShellExperienceHost.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5216
        
        C:\providercommon\ShellExperienceHost.exe
        
        "C:\providercommon\ShellExperienceHost.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:676
        
        C:\providercommon\ShellExperienceHost.exe
        
        "C:\providercommon\ShellExperienceHost.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:6004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:6092
        
        C:\providercommon\ShellExperienceHost.exe
        
        "C:\providercommon\ShellExperienceHost.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"
        12⤵
        
        PID:5160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5900
        
        C:\providercommon\ShellExperienceHost.exe
        
        "C:\providercommon\ShellExperienceHost.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"
        14⤵
        
        PID:4872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:656
        
        C:\providercommon\ShellExperienceHost.exe
        
        "C:\providercommon\ShellExperienceHost.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
        16⤵
        
        PID:3792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4536
        
        C:\providercommon\ShellExperienceHost.exe
        
        "C:\providercommon\ShellExperienceHost.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"
        18⤵
        
        PID:4492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2172
        
        C:\providercommon\ShellExperienceHost.exe
        
        "C:\providercommon\ShellExperienceHost.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"
        20⤵
        
        PID:3348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2356
        
        C:\providercommon\ShellExperienceHost.exe
        
        "C:\providercommon\ShellExperienceHost.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"
        22⤵
        
        PID:4744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3624
        
        C:\providercommon\ShellExperienceHost.exe
        
        "C:\providercommon\ShellExperienceHost.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"
        24⤵
        
        PID:4712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2272
        
        C:\providercommon\ShellExperienceHost.exe
        
        "C:\providercommon\ShellExperienceHost.exe"
        25⤵
        Executes dropped EXE
        
        PID:6024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\IME\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\security\cap\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\security\cap\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\security\cap\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\providercommon\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ShellExperienceHost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
42d8459db42c0e31873dc4cc13c9df3b

SHA1
90cb77b304020be17314485e6ad5ef35be568ffc

SHA256
360d60ee2d3a1e3276698ba9bcbc34be77e88fe72df3e828435c8710321fcf02

SHA512
624fce2ba52cf09c0b6c808a09dce72172ce709cc8bdb13c2494d3715ea74f2f0d91761d93a9dae6c8aa1ffc249f0487ce0e3fa5631d9cbbe61cb8af74dda728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83d540a9ebff2178b3123bd1e95f4acb

SHA1
aacfc98c5ed6046b975116e6de30857c3a36d5dc

SHA256
01b46d81fff86e551abf4296906774cf3590fa1a4e187935dc35aa6db4adbd95

SHA512
fe4736d4a369ebd70d8aeb76a14a895f4895f95dd089919a318d6f1effbdc34fa0fb6708d94f6afe43539dca6fe218fd1f3132b85b84016b84a27cf6a5f1dd43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ed3f4b6df5d06750ce96ab21e76a077b

SHA1
70716014bd973a3963240947cf868b77841b0a6e

SHA256
138ff80fe28a2d7677cd1877e7f6ce6b2d94cdb7a716b377cea502eb1c75fcb6

SHA512
6b7d7711df15106c7eb059040f095a822c914dc624fe52439bedd0009739bcd535d5f691dda4c3356629effe91ed84f65f1b5530142c2d84549bde3388e4b53e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ed3f4b6df5d06750ce96ab21e76a077b

SHA1
70716014bd973a3963240947cf868b77841b0a6e

SHA256
138ff80fe28a2d7677cd1877e7f6ce6b2d94cdb7a716b377cea502eb1c75fcb6

SHA512
6b7d7711df15106c7eb059040f095a822c914dc624fe52439bedd0009739bcd535d5f691dda4c3356629effe91ed84f65f1b5530142c2d84549bde3388e4b53e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
302da5eacb791267d487cc51ae54af3e

SHA1
f23a36f48bf0fe7808184870a52ab88ae907711a

SHA256
feeb2fb985783301ace1626949f436e04611b43cb7f104388a2ff7c877958768

SHA512
4c391f4c1be3f0a3464e6bd5a30193f9f0b6467fba98e768ad835c6e77048ef0e2ad04a2362c2361fd302ae77ab9a5818746e14ac0c2ff938a5a047acd9d3bd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
18c4382cf07615fc4ba348306c074835

SHA1
df05427203776f180056820bad8386d9f29f7b0f

SHA256
829295608ce74b55b728d581a17f7e7962c6b347c497271a018891870d5872c1

SHA512
90c4779ff53aa0dfb11ea764bd6283dace8fbaad3bd8ac4e1df4960f37168c1389acf371cf9dd0a4aa37f59b31aa6a4ffd0246ffea856ab5e1fbb2e33ddf1282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
937cc5738710571a898136a55587c32c

SHA1
63b6c3048e8d309a0eee020fb8fa85ea93a6c21e

SHA256
c4ee599e697b0ac98c4f86eed0024d46bb99d9fc1b4ff07e28377dadb88839ab

SHA512
8f8a3abeff9e01bbcae67f644231e19404ecf53a543a8a1dad1471368b27a18630e7d43622b58ab48a952c03a73df3d3e92b7d6f99c07d35e98466ea7c74951d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
937cc5738710571a898136a55587c32c

SHA1
63b6c3048e8d309a0eee020fb8fa85ea93a6c21e

SHA256
c4ee599e697b0ac98c4f86eed0024d46bb99d9fc1b4ff07e28377dadb88839ab

SHA512
8f8a3abeff9e01bbcae67f644231e19404ecf53a543a8a1dad1471368b27a18630e7d43622b58ab48a952c03a73df3d3e92b7d6f99c07d35e98466ea7c74951d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
32a9b9f6fb926fd963d02734ae65f137

SHA1
4ffc3f73dfee65ec25b8671301fddfdb7e0057b0

SHA256
9b9379573cb7ab9251760ac0907c8919a1680aba8b76b6ebc671972bc6117975

SHA512
3e1032386957c12ac21e97154ef0f6d1d66cc5aa11adc228f98b22b5189cec40f4c8ea2fc9e8ce6c3a9aad9f58572c6e669462f2974a837fd99a5c8c72aac4ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
154e14a2b0452b6e21694c6ac9dd8b25

SHA1
77cdc12ec745a68795820014dae764cf6507ba09

SHA256
4725a6e2b709e9256ba59f5b4b47726a6b4c2d4ca407d6756b585a578a53c29b

SHA512
38fa1ba89184c69531bbf2905507bf24703554855b4c2814e8395cd2c6b2f36b939e155cd9bde5bc17d3c589768df9f74df09d3913b09a3ee17c5d0a3896c91d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
154e14a2b0452b6e21694c6ac9dd8b25

SHA1
77cdc12ec745a68795820014dae764cf6507ba09

SHA256
4725a6e2b709e9256ba59f5b4b47726a6b4c2d4ca407d6756b585a578a53c29b

SHA512
38fa1ba89184c69531bbf2905507bf24703554855b4c2814e8395cd2c6b2f36b939e155cd9bde5bc17d3c589768df9f74df09d3913b09a3ee17c5d0a3896c91d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38d9f0ac6b2882dd10c20c36ee2ef177

SHA1
68edff5742314057da7733824a4d080837bbfbce

SHA256
a75bec48e18c9a15d708fde1dae05f1304e9b7ea75081f03bac73f7d625462bc

SHA512
36eb7c3c7833fbd381b21098cb07d8278f7f1efa728663f3714ef552cb0f8e9f17b70c5121537a63b35763d034170ac7176dbb14347a424172b6eb7152385967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38d9f0ac6b2882dd10c20c36ee2ef177

SHA1
68edff5742314057da7733824a4d080837bbfbce

SHA256
a75bec48e18c9a15d708fde1dae05f1304e9b7ea75081f03bac73f7d625462bc

SHA512
36eb7c3c7833fbd381b21098cb07d8278f7f1efa728663f3714ef552cb0f8e9f17b70c5121537a63b35763d034170ac7176dbb14347a424172b6eb7152385967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a4a84408d726f1cf3e680a1fe19a8c27

SHA1
1a61e30dd9e088756a51582e29893c01fd9fae6f

SHA256
408e55ac0d0c4a0fbe3e35b09cd45c857853376f2b3308a5ef43600eecc2391a

SHA512
97c825523ba1015d5aedb482f6295239d7a2cbd28188259a403171ac2f379fdee397ef8d779365b9d8dc901442b0e0dc7b35105a8a77e9d2c196439cd5da72b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb6370b8032ad79dcca7989881f9a248

SHA1
ff83d0cd90d9c69b1c56df2d70688fdac47236d2

SHA256
374d1e34a0559c05793da2b6e264d1c8261d9f443210797aeef493fb69ce9178

SHA512
85b44e1e022367278ba1d119142c2b70777357217f36ba1695ffa0624fc155bae00ffbf447a3158e194e0b94b6d1b46a14dd24a6055969a6bcd68546c22af22d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
552bdddb42f986e96de88e326d1b4125

SHA1
b8592f7a8bdc093d6a40da996c83e9d30fddc8c3

SHA256
d0b29cbd20404432508d1a2c76b473313f559a7d771a6f04216d92a7888a604c

SHA512
04eb0e3ae745f49f29253533785d411f06aa29e9eb10432afe40689d746164e802695dda9b612482d8872a0f3241ee0ce87690d7743a5a4f049d475687a86ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat

Filesize
206B

MD5
051e399344ae245c91df7e7b82efd02a

SHA1
aa4cd425d088ba0e2a810e6ba69f929bf90f13f2

SHA256
57feca923744ada19c63c6ddf953928753320c796e749a00b788348eee8c8908

SHA512
01d26d9b44673c88f7214aa3c70ba6bb8f9b55921527076144bb516d92a420063b097ca02caa6a43a144d15956d4c3e3efccfa19ce90a6c38546d7d37156b60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat

Filesize
206B

MD5
e2914c0d3c33e7020387a9993f30b51d

SHA1
0aa6ad8d085636c38f0770bee5c2a8f762bec806

SHA256
e9366f41b5efa115d621df50d1d1be082eda9f8d85b4d5c0ad12afdd62963c8d

SHA512
558e317f1997558b5d059f1eb60c4bc68aeeda9f20904ada930cf3839ca471526984ef8fc37ce0a16cc5aef08a764d2506258d214b8f18a45fb13c1e4a5bf0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat

Filesize
206B

MD5
0bd7fca1b15bcc6677628bb3ca14a322

SHA1
41eb9ef4058ed00461369a8069dc814aebe7250d

SHA256
3e58a9223e534434ee4fc8e3328c3e16d52f793ba5029edd049dc3dc496ae983

SHA512
78955c5f3ceedfdd5e4e176044a05cdd2903c18ce6c3761a925b051c35039ee5fb0d23d12e4422f8f721e4ab0eadd558fcdc69121af26ba6d13e4d5d6387c07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat

Filesize
206B

MD5
f875fb907b3d2cec25fefd9aa0e7f3ad

SHA1
54d09c3d99d9338347e8df2ab3e0ed48f5a2fb9f

SHA256
eb1bac69e467b4f83b48ea5eeff6d68f0490f316f401a848a96f0c55f701b915

SHA512
4cab05b71b15d4c25ede4977bb1aff508466956fb01db9286bda2984d7d3f74fa363fb2aaa67aa4504b0c7f9aa4ce0752809386404674410e3330e5cc766c8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat

Filesize
206B

MD5
f875fb907b3d2cec25fefd9aa0e7f3ad

SHA1
54d09c3d99d9338347e8df2ab3e0ed48f5a2fb9f

SHA256
eb1bac69e467b4f83b48ea5eeff6d68f0490f316f401a848a96f0c55f701b915

SHA512
4cab05b71b15d4c25ede4977bb1aff508466956fb01db9286bda2984d7d3f74fa363fb2aaa67aa4504b0c7f9aa4ce0752809386404674410e3330e5cc766c8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

Filesize
206B

MD5
d2eb6894100bc1275e0e9116af31410f

SHA1
5996019edac1151eee00206b43e9b77e70975693

SHA256
eecaac3df5f308ade8bfe144c5ead61ad12df1ac6bcdb566514d74bd1df5d996

SHA512
1c3be4cfa5fc92a3569447ea7402b08eb304c3f303f162231c0e38b8dc551325a4f2941cf4e50418e0896d97c5367aa2814fc8fe150a3aa5a638108789c11ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat

Filesize
206B

MD5
164e9f999516fc332c9ac6cf8785cfb6

SHA1
056d8ced4ec354ba54a2a3d3f9ab025feb1aaee4

SHA256
813ddead19ccf1bf981481fc0cdc258606612f0946cae9bf858b98fd2ce08df7

SHA512
7097a405b0f15335cf73c5afa1a9617fd96ef61d24edff566c64bdd58da2f1d52ba57b12cb51fe9ca338d22ae7ea6e1b4d31bae471ba90a1c840da861d0ee9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat

Filesize
206B

MD5
b62ced79b5d8bd45b329f89a799dbdf4

SHA1
13bcb73d176dfa353dd48344cc2e1a58f012777a

SHA256
a7b5ea2e95d19458bba82e89af9a7c75e820ddf1f7a66e07edf047aa7ef17815

SHA512
e0b34c1791e4eeff49cdfb560a61b2764cc537256c075f574fd931e61c41be4d9b0e74a9d6788bd1b6f6824ed77062ca9835825aa99d2a7ca16044630f39a011

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat

Filesize
206B

MD5
616a78d9156d46162d666dc417704b65

SHA1
e7de8b8e51e74ab05f1619b902d18ce85b3bc3ea

SHA256
daa41ba8f3aad57d0804ea4e3ad4eebeb74a8f8d755037dfe5aab7234438b032

SHA512
5e311fdf85e4374767d99fdf301089237798761291a121bfa236cd851e2c74018287383e9bf30699af59b64886059f4da8de9739689803fb9b10e69601f60807

Download Submit
C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat

Filesize
206B

MD5
9166bab58297579cf564292b929ca3a6

SHA1
85f95156ba195ec145e3ea44a95e57a04e8223a2

SHA256
41965a4dd8d69171b3857a1940eccabf6574e8e7d93a62ff119c05c0721e7f73

SHA512
3839764c06d532c37f4ee40c39770c3f6749cc5c6287eccef2081712757586d0f8537a7e919e4c472f2433d8ae04790a6c461c5196b8e14fcd922a23e350346b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/512-928-0x00000000018B0000-0x00000000018C2000-memory.dmp

Filesize
72KB

Download
memory/1008-381-0x0000018F9F230000-0x0000018F9F2A6000-memory.dmp

Filesize
472KB

Download
memory/2716-364-0x0000023176EB0000-0x0000023176ED2000-memory.dmp

Filesize
136KB

Download
memory/3156-934-0x00000000016A0000-0x00000000016B2000-memory.dmp

Filesize
72KB

Download
memory/3468-157-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-154-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-169-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-120-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-171-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-170-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-168-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-121-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-167-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-173-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-166-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-174-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-182-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-181-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-165-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-122-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-180-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-179-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-164-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-178-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-119-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-177-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-163-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-162-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-161-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-160-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-159-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-158-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-175-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-156-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-176-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-124-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-155-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-172-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-153-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-151-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-152-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-150-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-149-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-148-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-147-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-146-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-145-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-144-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-143-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-142-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-141-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-140-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-139-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-138-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-137-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-136-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-135-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-134-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-133-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-132-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-131-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-125-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-130-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-129-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-128-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/3468-127-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/4772-287-0x0000000000980000-0x000000000098C000-memory.dmp

Filesize
48KB

Download
memory/4772-285-0x0000000000410000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/4772-288-0x0000000000C60000-0x0000000000C6C000-memory.dmp

Filesize
48KB

Download
memory/4772-289-0x0000000000C70000-0x0000000000C7C000-memory.dmp

Filesize
48KB

Download
memory/4772-286-0x0000000000970000-0x0000000000982000-memory.dmp

Filesize
72KB

Download
memory/5028-185-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/5028-184-0x0000000077740000-0x00000000778CE000-memory.dmp

Filesize
1.6MB

Download
memory/5376-912-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/6128-906-0x00000000012C0000-0x00000000012D2000-memory.dmp

Filesize
72KB

Download