dcrat | 68063e81bbc6cc2ab1008ecf20874cd586ea19e9089a47b31774bd6f098a70f7

Analysis

max time kernel
147s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68063e81bbc6cc2ab1008ecf20874cd586ea19e9089a47b31774bd6f098a70f7.exe
Size

1.3MB
MD5

176353b465e93b4a549997d5ddbd0fd5
SHA1

d19097a3003ed7da6f4e5024f2554cd03a151d3c
SHA256

68063e81bbc6cc2ab1008ecf20874cd586ea19e9089a47b31774bd6f098a70f7
SHA512

e3ebf57b5bbe449f8092f04a35a629a3c72fcf6113365128ba1e19770b2eef7be08b2b3e7bd2bd824bf33d7ec8f31e84ae37044b7cd847c1871f70db02f43305
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	500	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	96	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	192	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	504	3884	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	3884	schtasks.exe	70

DCRat payload 18 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac2d-279.dat	dcrat
behavioral1/files/0x000800000001ac2d-280.dat	dcrat
behavioral1/memory/5100-281-0x00000000009F0000-0x0000000000B00000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac3b-349.dat	dcrat
behavioral1/files/0x000600000001ac3b-348.dat	dcrat
behavioral1/files/0x000600000001ac3b-890.dat	dcrat
behavioral1/files/0x000600000001ac3b-897.dat	dcrat
behavioral1/files/0x000600000001ac3b-903.dat	dcrat
behavioral1/files/0x000600000001ac3b-908.dat	dcrat
behavioral1/files/0x000600000001ac3b-914.dat	dcrat
behavioral1/files/0x000600000001ac3b-919.dat	dcrat
behavioral1/files/0x000600000001ac3b-924.dat	dcrat
behavioral1/files/0x000600000001ac3b-929.dat	dcrat
behavioral1/files/0x000600000001ac3b-935.dat	dcrat
behavioral1/files/0x000600000001ac3b-940.dat	dcrat
behavioral1/files/0x000600000001ac3b-945.dat	dcrat
behavioral1/files/0x000600000001ac3b-951.dat	dcrat
behavioral1/files/0x000600000001ac3b-956.dat	dcrat

Executes dropped EXE 15 IoCs

pid	Process
5100	DllCommonsvc.exe
4344	dllhost.exe
5776	dllhost.exe
5960	dllhost.exe
5124	dllhost.exe
5380	dllhost.exe
4440	dllhost.exe
3820	dllhost.exe
3672	dllhost.exe
5508	dllhost.exe
5532	dllhost.exe
4424	dllhost.exe
2716	dllhost.exe
4816	dllhost.exe
812	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre1.8.0_66\lib\images\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\images\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\SearchUI.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\dab4d89cac03ec	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\56085415360792	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\appcompat\smss.exe	DllCommonsvc.exe
File created	C:\Windows\appcompat\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3080	schtasks.exe
4532	schtasks.exe
4504	schtasks.exe
2192	schtasks.exe
3144	schtasks.exe
4372	schtasks.exe
96	schtasks.exe
3700	schtasks.exe
2740	schtasks.exe
1596	schtasks.exe
356	schtasks.exe
528	schtasks.exe
3308	schtasks.exe
308	schtasks.exe
1876	schtasks.exe
5056	schtasks.exe
1516	schtasks.exe
192	schtasks.exe
656	schtasks.exe
504	schtasks.exe
5032	schtasks.exe
3588	schtasks.exe
860	schtasks.exe
4396	schtasks.exe
3164	schtasks.exe
1440	schtasks.exe
1404	schtasks.exe
4584	schtasks.exe
2056	schtasks.exe
4436	schtasks.exe
4572	schtasks.exe
4632	schtasks.exe
4552	schtasks.exe
4480	schtasks.exe
4520	schtasks.exe
1064	schtasks.exe
1708	schtasks.exe
4344	schtasks.exe
2088	schtasks.exe
4968	schtasks.exe
4360	schtasks.exe
4456	schtasks.exe
3116	schtasks.exe
500	schtasks.exe
3912	schtasks.exe
1548	schtasks.exe
4348	schtasks.exe
1856	schtasks.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	68063e81bbc6cc2ab1008ecf20874cd586ea19e9089a47b31774bd6f098a70f7.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	dllhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5100	DllCommonsvc.exe
5100	DllCommonsvc.exe
5100	DllCommonsvc.exe
5100	DllCommonsvc.exe
5100	DllCommonsvc.exe
5100	DllCommonsvc.exe
5100	DllCommonsvc.exe
5100	DllCommonsvc.exe
5100	DllCommonsvc.exe
5100	DllCommonsvc.exe
5100	DllCommonsvc.exe
5100	DllCommonsvc.exe
5100	DllCommonsvc.exe
5100	DllCommonsvc.exe
5100	DllCommonsvc.exe
5100	DllCommonsvc.exe
5100	DllCommonsvc.exe
5100	DllCommonsvc.exe
2492	powershell.exe
2492	powershell.exe
2804	powershell.exe
2804	powershell.exe
2980	powershell.exe
2980	powershell.exe
3744	powershell.exe
3744	powershell.exe
2716	powershell.exe
2716	powershell.exe
2376	powershell.exe
2376	powershell.exe
3880	powershell.exe
3880	powershell.exe
4728	powershell.exe
4728	powershell.exe
4704	powershell.exe
4704	powershell.exe
4724	powershell.exe
4724	powershell.exe
4756	powershell.exe
4756	powershell.exe
4744	powershell.exe
3268	powershell.exe
4744	powershell.exe
3268	powershell.exe
3404	powershell.exe
3404	powershell.exe
2980	powershell.exe
2828	powershell.exe
2828	powershell.exe
3744	powershell.exe
4860	powershell.exe
4860	powershell.exe
4744	powershell.exe
3372	powershell.exe
3372	powershell.exe
3268	powershell.exe
4344	dllhost.exe
4344	dllhost.exe
2492	powershell.exe
2804	powershell.exe
2492	powershell.exe
4728	powershell.exe
4724	powershell.exe
2716	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5100	DllCommonsvc.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	4344	dllhost.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeIncreaseQuotaPrivilege	4744	powershell.exe
Token: SeSecurityPrivilege	4744	powershell.exe
Token: SeTakeOwnershipPrivilege	4744	powershell.exe
Token: SeLoadDriverPrivilege	4744	powershell.exe
Token: SeSystemProfilePrivilege	4744	powershell.exe
Token: SeSystemtimePrivilege	4744	powershell.exe
Token: SeProfSingleProcessPrivilege	4744	powershell.exe
Token: SeIncBasePriorityPrivilege	4744	powershell.exe
Token: SeCreatePagefilePrivilege	4744	powershell.exe
Token: SeBackupPrivilege	4744	powershell.exe
Token: SeRestorePrivilege	4744	powershell.exe
Token: SeShutdownPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeSystemEnvironmentPrivilege	4744	powershell.exe
Token: SeRemoteShutdownPrivilege	4744	powershell.exe
Token: SeUndockPrivilege	4744	powershell.exe
Token: SeManageVolumePrivilege	4744	powershell.exe
Token: 33	4744	powershell.exe
Token: 34	4744	powershell.exe
Token: 35	4744	powershell.exe
Token: 36	4744	powershell.exe
Token: SeIncreaseQuotaPrivilege	2980	powershell.exe
Token: SeSecurityPrivilege	2980	powershell.exe
Token: SeTakeOwnershipPrivilege	2980	powershell.exe
Token: SeLoadDriverPrivilege	2980	powershell.exe
Token: SeSystemProfilePrivilege	2980	powershell.exe
Token: SeSystemtimePrivilege	2980	powershell.exe
Token: SeProfSingleProcessPrivilege	2980	powershell.exe
Token: SeIncBasePriorityPrivilege	2980	powershell.exe
Token: SeCreatePagefilePrivilege	2980	powershell.exe
Token: SeBackupPrivilege	2980	powershell.exe
Token: SeRestorePrivilege	2980	powershell.exe
Token: SeShutdownPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeSystemEnvironmentPrivilege	2980	powershell.exe
Token: SeRemoteShutdownPrivilege	2980	powershell.exe
Token: SeUndockPrivilege	2980	powershell.exe
Token: SeManageVolumePrivilege	2980	powershell.exe
Token: 33	2980	powershell.exe
Token: 34	2980	powershell.exe
Token: 35	2980	powershell.exe
Token: 36	2980	powershell.exe
Token: SeIncreaseQuotaPrivilege	3744	powershell.exe
Token: SeSecurityPrivilege	3744	powershell.exe
Token: SeTakeOwnershipPrivilege	3744	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 3108	2700	68063e81bbc6cc2ab1008ecf20874cd586ea19e9089a47b31774bd6f098a70f7.exe	66
PID 2700 wrote to memory of 3108	2700	68063e81bbc6cc2ab1008ecf20874cd586ea19e9089a47b31774bd6f098a70f7.exe	66
PID 2700 wrote to memory of 3108	2700	68063e81bbc6cc2ab1008ecf20874cd586ea19e9089a47b31774bd6f098a70f7.exe	66
PID 3108 wrote to memory of 4248	3108	WScript.exe	67
PID 3108 wrote to memory of 4248	3108	WScript.exe	67
PID 3108 wrote to memory of 4248	3108	WScript.exe	67
PID 4248 wrote to memory of 5100	4248	cmd.exe	69
PID 4248 wrote to memory of 5100	4248	cmd.exe	69
PID 5100 wrote to memory of 2492	5100	DllCommonsvc.exe	119
PID 5100 wrote to memory of 2492	5100	DllCommonsvc.exe	119
PID 5100 wrote to memory of 2804	5100	DllCommonsvc.exe	122
PID 5100 wrote to memory of 2804	5100	DllCommonsvc.exe	122
PID 5100 wrote to memory of 2980	5100	DllCommonsvc.exe	121
PID 5100 wrote to memory of 2980	5100	DllCommonsvc.exe	121
PID 5100 wrote to memory of 3744	5100	DllCommonsvc.exe	123
PID 5100 wrote to memory of 3744	5100	DllCommonsvc.exe	123
PID 5100 wrote to memory of 2376	5100	DllCommonsvc.exe	124
PID 5100 wrote to memory of 2376	5100	DllCommonsvc.exe	124
PID 5100 wrote to memory of 3880	5100	DllCommonsvc.exe	125
PID 5100 wrote to memory of 3880	5100	DllCommonsvc.exe	125
PID 5100 wrote to memory of 2716	5100	DllCommonsvc.exe	128
PID 5100 wrote to memory of 2716	5100	DllCommonsvc.exe	128
PID 5100 wrote to memory of 4728	5100	DllCommonsvc.exe	129
PID 5100 wrote to memory of 4728	5100	DllCommonsvc.exe	129
PID 5100 wrote to memory of 4724	5100	DllCommonsvc.exe	152
PID 5100 wrote to memory of 4724	5100	DllCommonsvc.exe	152
PID 5100 wrote to memory of 4756	5100	DllCommonsvc.exe	133
PID 5100 wrote to memory of 4756	5100	DllCommonsvc.exe	133
PID 5100 wrote to memory of 4704	5100	DllCommonsvc.exe	134
PID 5100 wrote to memory of 4704	5100	DllCommonsvc.exe	134
PID 5100 wrote to memory of 3268	5100	DllCommonsvc.exe	149
PID 5100 wrote to memory of 3268	5100	DllCommonsvc.exe	149
PID 5100 wrote to memory of 4744	5100	DllCommonsvc.exe	147
PID 5100 wrote to memory of 4744	5100	DllCommonsvc.exe	147
PID 5100 wrote to memory of 4860	5100	DllCommonsvc.exe	145
PID 5100 wrote to memory of 4860	5100	DllCommonsvc.exe	145
PID 5100 wrote to memory of 3404	5100	DllCommonsvc.exe	143
PID 5100 wrote to memory of 3404	5100	DllCommonsvc.exe	143
PID 5100 wrote to memory of 2828	5100	DllCommonsvc.exe	141
PID 5100 wrote to memory of 2828	5100	DllCommonsvc.exe	141
PID 5100 wrote to memory of 3372	5100	DllCommonsvc.exe	139
PID 5100 wrote to memory of 3372	5100	DllCommonsvc.exe	139
PID 5100 wrote to memory of 4344	5100	DllCommonsvc.exe	138
PID 5100 wrote to memory of 4344	5100	DllCommonsvc.exe	138
PID 4344 wrote to memory of 4984	4344	dllhost.exe	155
PID 4344 wrote to memory of 4984	4344	dllhost.exe	155
PID 4984 wrote to memory of 5168	4984	cmd.exe	157
PID 4984 wrote to memory of 5168	4984	cmd.exe	157
PID 4984 wrote to memory of 5776	4984	cmd.exe	158
PID 4984 wrote to memory of 5776	4984	cmd.exe	158
PID 5776 wrote to memory of 5884	5776	dllhost.exe	159
PID 5776 wrote to memory of 5884	5776	dllhost.exe	159
PID 5884 wrote to memory of 5940	5884	cmd.exe	161
PID 5884 wrote to memory of 5940	5884	cmd.exe	161
PID 5884 wrote to memory of 5960	5884	cmd.exe	162
PID 5884 wrote to memory of 5960	5884	cmd.exe	162
PID 5960 wrote to memory of 6068	5960	dllhost.exe	163
PID 5960 wrote to memory of 6068	5960	dllhost.exe	163
PID 6068 wrote to memory of 6124	6068	cmd.exe	165
PID 6068 wrote to memory of 6124	6068	cmd.exe	165
PID 6068 wrote to memory of 5124	6068	cmd.exe	166
PID 6068 wrote to memory of 5124	6068	cmd.exe	166
PID 5124 wrote to memory of 5160	5124	dllhost.exe	167
PID 5124 wrote to memory of 5160	5124	dllhost.exe	167

C:\Users\Admin\AppData\Local\Temp\68063e81bbc6cc2ab1008ecf20874cd586ea19e9089a47b31774bd6f098a70f7.exe
"C:\Users\Admin\AppData\Local\Temp\68063e81bbc6cc2ab1008ecf20874cd586ea19e9089a47b31774bd6f098a70f7.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
    - - C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4344
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5168
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5940
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:6068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:6124
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"
        12⤵
        
        PID:5160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1732
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"
        14⤵
        
        PID:4316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1056
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat"
        16⤵
        
        PID:4376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3340
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"
        18⤵
        
        PID:4348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:5504
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat"
        20⤵
        
        PID:4624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:5032
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat"
        22⤵
        
        PID:5668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3732
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"
        24⤵
        
        PID:4644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4908
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"
        26⤵
        
        PID:3320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3692
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat"
        28⤵
        
        PID:4720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1708
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat"
        30⤵
        
        PID:640
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
        32⤵
        
        PID:3276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre1.8.0_66\lib\images\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\appcompat\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\appcompat\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\appcompat\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Users\Default User\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Documents\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\odt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\odt\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:96

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre1.8.0_66\lib\images\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Java\jre1.8.0_66\lib\images\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre1.8.0_66\lib\images\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
69f4df19b02a61f6e8ccab625882bfda

SHA1
8d758d8aa8888ab5f41779ba23e7f9eaaaac8bf6

SHA256
7c5d9cabd220c558884f9125bf179e725653bba66b0c7b9d5d98f161f420863b

SHA512
f644d0fe7384eaea59e798728eb02e2924a80423aa3c2a091be1616f5365f01a01b9f8a930bb6a061b544bb9f3ac98dfb48f3b5b59a6da53d99e8781bf688325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
69f4df19b02a61f6e8ccab625882bfda

SHA1
8d758d8aa8888ab5f41779ba23e7f9eaaaac8bf6

SHA256
7c5d9cabd220c558884f9125bf179e725653bba66b0c7b9d5d98f161f420863b

SHA512
f644d0fe7384eaea59e798728eb02e2924a80423aa3c2a091be1616f5365f01a01b9f8a930bb6a061b544bb9f3ac98dfb48f3b5b59a6da53d99e8781bf688325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8c64538023d3e3e4e7945b78d28944e2

SHA1
b63d02429540741eca7a38f1b411c84b7685ed5e

SHA256
9c42ef1d15f69b4042a2a8f3b8821de7a4e79c97a4efb7d16872155e4cfc652f

SHA512
d73d0023bb90ffe9a132cab52616ded93f0be9cf5d119af6a7a039cc47f81c9f2b2aa77a3380e60989a2b174604f2bb128b5215315f035c307135ba621ad89fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8ab61fbe51779767f6a8f09a44c08271

SHA1
61814c66f274b3582e1588aef7655b7c210cb410

SHA256
8b9f319ea54af978579417e8781d092c687afb84bfb44c52513e1d693e1bc6f1

SHA512
3f84836d91ea569fe36ebcbfd34a4714a242767142e57693825c3271bfb90578452d60aa39056d203406252e69b66f9fcec7371da95b85a400f052cf5cc6900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8ab61fbe51779767f6a8f09a44c08271

SHA1
61814c66f274b3582e1588aef7655b7c210cb410

SHA256
8b9f319ea54af978579417e8781d092c687afb84bfb44c52513e1d693e1bc6f1

SHA512
3f84836d91ea569fe36ebcbfd34a4714a242767142e57693825c3271bfb90578452d60aa39056d203406252e69b66f9fcec7371da95b85a400f052cf5cc6900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8afddf563e67d923bb59370606075cfc

SHA1
fec54a22224c78d794f233078bd573216d7fca1c

SHA256
782e4d1d75e3036c203bff4001b927bf8b921d920e1af241728ff87447068f45

SHA512
7c325e4c4a236e7ccebb275f354d0a440fdc4fb18151a4629b5605025c8a207fb73ca2a1513092e7bb84ebf9b4e5e633a951598f0e071b9dc8bf306faf6a655a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8afddf563e67d923bb59370606075cfc

SHA1
fec54a22224c78d794f233078bd573216d7fca1c

SHA256
782e4d1d75e3036c203bff4001b927bf8b921d920e1af241728ff87447068f45

SHA512
7c325e4c4a236e7ccebb275f354d0a440fdc4fb18151a4629b5605025c8a207fb73ca2a1513092e7bb84ebf9b4e5e633a951598f0e071b9dc8bf306faf6a655a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8afddf563e67d923bb59370606075cfc

SHA1
fec54a22224c78d794f233078bd573216d7fca1c

SHA256
782e4d1d75e3036c203bff4001b927bf8b921d920e1af241728ff87447068f45

SHA512
7c325e4c4a236e7ccebb275f354d0a440fdc4fb18151a4629b5605025c8a207fb73ca2a1513092e7bb84ebf9b4e5e633a951598f0e071b9dc8bf306faf6a655a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8afddf563e67d923bb59370606075cfc

SHA1
fec54a22224c78d794f233078bd573216d7fca1c

SHA256
782e4d1d75e3036c203bff4001b927bf8b921d920e1af241728ff87447068f45

SHA512
7c325e4c4a236e7ccebb275f354d0a440fdc4fb18151a4629b5605025c8a207fb73ca2a1513092e7bb84ebf9b4e5e633a951598f0e071b9dc8bf306faf6a655a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3477108b2401bc2ea8f764cf149b7286

SHA1
070f2621d44488009b606ec83c0e82c00b22f0ea

SHA256
eb3a7a38f4ce1a0eefeb0867044fe5c6e0819bea44c3f489ae8a836935cb3130

SHA512
5d86eb120ecd881532b402e8fef0505cae3743e89166090a0a3f7c3ef180030763fa04f50b427bc42ff9274310ede8b3b66dd15745e629e1e45d12c522e4fb80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3b349d9c0abbe7201e9857afb3b77fa3

SHA1
c744597d0b2b0cd261ed15ac8928d116f74cf31e

SHA256
bad93998ed5723edf513462d5f715bcd23b1e6cdd05b505eec5bd252f93b3d6c

SHA512
0e12cd960ff8e084b4c16e9c442079410b6c878b15f7d2f13737751ab78fb19c1e19c707d0bc4fa3d754b3c4ac9ebffec2649713a2d8d8864a40c2323c929fd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
603d94f39b2ecb2b1526b49f59966243

SHA1
7e8bbe34403acead3fbec1f4a132bd70f4865271

SHA256
12c00b0c7d284bfa8a103d9406bd92692abceebf647eb0761f8e61a31addd5d9

SHA512
7365742672a7e339fef6b88e2292ee064c5214e3904b9a728b66ff590d007d06d5f8b9ddfc6819b1fd8d429774802714c3da5e6a72c4565d3de0b4395711da58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
603d94f39b2ecb2b1526b49f59966243

SHA1
7e8bbe34403acead3fbec1f4a132bd70f4865271

SHA256
12c00b0c7d284bfa8a103d9406bd92692abceebf647eb0761f8e61a31addd5d9

SHA512
7365742672a7e339fef6b88e2292ee064c5214e3904b9a728b66ff590d007d06d5f8b9ddfc6819b1fd8d429774802714c3da5e6a72c4565d3de0b4395711da58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
839afe0f7a476d3d76557bc07171c7c2

SHA1
0aae02a55400ccf4ad0785c4f9c9ecb439cb09e9

SHA256
f7f1791957a35d100863643d518ed633f288101d8d839a260d53b5fad79a38ea

SHA512
008d31bd1bb38a073be1a235a5967e0dd1680193d293e1a04ac92901f8383ec3333cec1782c28b4e4dd2e08d8db22fedeb177d38e5239e830af40edc1954921b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
077f6fd5ff0e74c1eed551c6fde2a8c2

SHA1
f7b747083282bc609981e6ac9edd0433b63ad424

SHA256
31c35240eb018ec7891ff162bc69f5150194c336c89eb8b68eb04dadb9a75846

SHA512
d2e95fcb57e778c5a13681b92aac9e972cfa99f9adfe05013d02fe5a80ec31b3320d5f211b1d874b35cce82fc222d8680a7235112fbb7c74f0f4ab4fb11fa838

Download Submit
C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat

Filesize
198B

MD5
6c16bac72369d92bba042451a6e885f8

SHA1
37297d4db50c3b7cd9476b5b895bc2f15f95607b

SHA256
20038e3020af9dedd92eade7c1f76f79f94a37c73a6552aa6cf32bfc86ad9c80

SHA512
bc1aa2162113d9e49fb2867c2288484b06a154918aaf8e1a84b5cde49bf7934e1200fddefeb86863bf61eb25e8f18b8d10c40e4e7634ccfc681f22a849989c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat

Filesize
198B

MD5
6c16bac72369d92bba042451a6e885f8

SHA1
37297d4db50c3b7cd9476b5b895bc2f15f95607b

SHA256
20038e3020af9dedd92eade7c1f76f79f94a37c73a6552aa6cf32bfc86ad9c80

SHA512
bc1aa2162113d9e49fb2867c2288484b06a154918aaf8e1a84b5cde49bf7934e1200fddefeb86863bf61eb25e8f18b8d10c40e4e7634ccfc681f22a849989c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat

Filesize
198B

MD5
524144097044a119eb87692691ff38f7

SHA1
1d09af033b7a5909e67dbf797d19e9c3ce90adf1

SHA256
a8f4bac8082a5f2fa5ca4cc9ef4c47c6fab616a40dbfae4bde5c06b3774ac998

SHA512
00b28ade6faf70af364bd3392b2f4890d6019008592988f1222d8026431028b9cf55a5c4f49f29361db9b12046f4a5d9c8929af9212e6757eea5845ae434e772

Download Submit
C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat

Filesize
198B

MD5
9b4fb2da56963889f5a330ba1f0fcfc6

SHA1
bf6d23a309374608d546b492e50966d41e845e80

SHA256
7a0831fe730869d8a2de04742aba515d032be27cd918660538553245099ffcb8

SHA512
67113446a05e770dd9959945763db5cfcbab967f5c3acd8aeffdbce97f96944fabb2761206006b0fb3f4afd5c0266eb5d7c9316f56195c6238a387cbe447f9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat

Filesize
198B

MD5
475c33727c18cf3212974bb6e198f856

SHA1
1cc1130b366a9a455d8f9e50bd9165cbb42cf920

SHA256
f363375d90b2340131531a82bd37c0c2b903b41a385716735ccd71e8cb11c849

SHA512
99be4558e387c0a414a3ca39f5b7f6b4e026acc5e9b08af91e75318911c9be638b5f32de4df391d38b8b063aec2b7819264fc00ba2a08f780c15f09f9cab6be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat

Filesize
198B

MD5
2bda63150dded8874408e354298bf96a

SHA1
9b6bc5950c8ae7f91fd58bfa688f305b6b03c3f4

SHA256
1547f49f9590b327613873a3dc09a01288be6b24c86e789b8268581cb2e105df

SHA512
2b3c847203505a9ee87a130b29104c42cc55b5b29ae8750319b135e464270cd12df82b7ca1f16e1f39cc5ba3fea409719e44bd6d3e1e8336fcd57491ef1b3e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat

Filesize
198B

MD5
2bda63150dded8874408e354298bf96a

SHA1
9b6bc5950c8ae7f91fd58bfa688f305b6b03c3f4

SHA256
1547f49f9590b327613873a3dc09a01288be6b24c86e789b8268581cb2e105df

SHA512
2b3c847203505a9ee87a130b29104c42cc55b5b29ae8750319b135e464270cd12df82b7ca1f16e1f39cc5ba3fea409719e44bd6d3e1e8336fcd57491ef1b3e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat

Filesize
198B

MD5
32829a5cd37df888057edb77e3e8c40e

SHA1
491052058a26d92df295b78a182ece8d82c7369a

SHA256
92e722866535584da45ec7efbe2eb1c5ffc7797fb61792283b1aacb027df0e6c

SHA512
1640e76cfaa03a7e293c3aa33fdfc0a67251b2b94e970a2f49fab8ce8278094e5493f43740548a9d73e0aa56b0f02f7ca3c3e769ba0c9f9e2986bff2bc26d6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat

Filesize
198B

MD5
daad2bda2c6e9a0132a01656e5ad4d1a

SHA1
c2209cb4e7cd440b53449a68d95c8fcc7b06a375

SHA256
c87f9667e6c746ae3d7478fd4faf32911997f0c6e8f5b8deae11ae9af924e921

SHA512
837194db0b5557034791d64a7c08d64bff7ac4aee8856239dad3b42a27eca032e8d967d5cf17d89545c1881f9fd2f0489ce3580fc6d34610bbc80bbd35e228fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat

Filesize
198B

MD5
86596e6f989dc8ec2173c2db2518e1cf

SHA1
31d024a53c607dea25d1e7a48ca5ae36a4d1bbfb

SHA256
30371530ae05ddb5b8950abc51de1e032fbbb8cfc0d26bda70bef81ed92a669a

SHA512
cd734b9ed2e0e6f546dc46ca6c41804f817b936f05739f495b5c1551006e08d5712e43e4849993a670e7a74bdfd71de19bf6b1658122438770d81890f59824c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat

Filesize
198B

MD5
138bf4c2b2f04815e0aee85c1908eee2

SHA1
d50f0420144bb81365a886127801722d95b0a3d1

SHA256
ccf0500e5059bef04f081f2b9a332e526c04eceaab88fc8eb7ddf23fce29a544

SHA512
b2a697d6d1be083c424c81df01a64cadd6967243f7eb52bf9ba9a9d69260508b2f94008f87026f8395be2f987034dbc621b7245fb4ed16be41b8cddefad366cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat

Filesize
198B

MD5
291db791b6fb2402c2c26e4fc918a839

SHA1
7d907192e647be71215b21e405bebb769fefbd78

SHA256
4af2fd076c42f28ea086ff52cf1ff1ec25d021732bcdd4808c070a03abd77bb4

SHA512
9c414e500d4965e7ab2aae395eab177e4fa610e0fa22fd7bba1b9b499ee4c8a4f7161f1901ce261ff1406ccdd3d9807f2a72944ed9aa74575e4dd5bf84d80476

Download Submit
C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat

Filesize
198B

MD5
2cd9815d86613b73c04d06a9ace7dc38

SHA1
33f033038c834459bd6d847a70919f6dd8da4b61

SHA256
115d4e2bd0676b0c9607fd345ec67dd63dc618d3e9fe4a38bb9fbcaf0ad8b7bc

SHA512
b2ff4d52f5ba88427745867a5ee657d498a8f3a890725fa16d39877714fcf9f43c860d30f84931190d651793fa7d541f1f668a2ed1e16b5fc96881de38f96cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat

Filesize
198B

MD5
89d98d7a1b897e51aa830244ba75304e

SHA1
595e4ed8d9b9a1ebc1fc2dce026a8a5f68f422af

SHA256
97a5d51dbc04f4101cc1b95b7df7621ffde0d9345e19149577d8b870af220849

SHA512
ccb0f92081384e05785335ba6b8145314e383e30908a1e642ff1953cec7be7f09c9d0ad27d99820f76197710bb6880357d3f2987e474a242b7a3084ead2f81d7

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/812-957-0x00000000013A0000-0x00000000013B2000-memory.dmp

Filesize
72KB

Download
memory/2492-373-0x0000027A66330000-0x0000027A66352000-memory.dmp

Filesize
136KB

Download
memory/2700-164-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-138-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-128-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-130-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-175-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-178-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-129-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-131-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-177-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-176-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-132-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-133-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-134-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-126-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-125-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-135-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-174-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-173-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-136-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-137-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-152-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-139-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-117-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-140-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-142-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-172-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-171-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-141-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-151-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-144-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-145-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-146-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-148-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-124-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-147-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-170-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-123-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-121-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-149-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-169-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-120-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-168-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-167-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-166-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-165-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-115-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-163-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-162-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-161-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-160-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-159-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-158-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-157-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-156-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-155-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-154-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-153-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-116-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-127-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-143-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-118-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-150-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-946-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/2980-410-0x000002429CB30000-0x000002429CBA6000-memory.dmp

Filesize
472KB

Download
memory/3108-180-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/3108-181-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4344-375-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/5100-282-0x0000000000F80000-0x0000000000F92000-memory.dmp

Filesize
72KB

Download
memory/5100-281-0x00000000009F0000-0x0000000000B00000-memory.dmp

Filesize
1.1MB

Download
memory/5100-284-0x00000000012C0000-0x00000000012CC000-memory.dmp

Filesize
48KB

Download
memory/5100-285-0x00000000012D0000-0x00000000012DC000-memory.dmp

Filesize
48KB

Download
memory/5100-283-0x0000000000FA0000-0x0000000000FAC000-memory.dmp

Filesize
48KB

Download
memory/5380-909-0x0000000000EA0000-0x0000000000EB2000-memory.dmp

Filesize
72KB

Download
memory/5508-930-0x0000000001290000-0x00000000012A2000-memory.dmp

Filesize
72KB

Download
memory/5776-892-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/5960-898-0x0000000001210000-0x0000000001222000-memory.dmp

Filesize
72KB

Download