dcrat | 21617e86b535bd3e3ab39bb22a1bc42c29b522d5e5ca58940b2d562275cea338

Analysis

max time kernel
158s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21617e86b535bd3e3ab39bb22a1bc42c29b522d5e5ca58940b2d562275cea338.exe
Size

1.3MB
MD5

38285c085890a8f119ab577d3bc7b20a
SHA1

9887237b5745e09667ba2ab83795486309225e00
SHA256

21617e86b535bd3e3ab39bb22a1bc42c29b522d5e5ca58940b2d562275cea338
SHA512

16b2e1032314278ed5c3aae6957e397838db9e6a21b70725bcd9baf91b45cc8f174c19a6375640e58e68b4632d08e79ba1e04e75e779dbfa9103c38806b79e30
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	244	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	204	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	504	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	3324	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	3324	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001abec-282.dat	dcrat
behavioral1/files/0x000800000001abec-283.dat	dcrat
behavioral1/memory/3248-284-0x0000000000CD0000-0x0000000000DE0000-memory.dmp	dcrat
behavioral1/files/0x000900000001abfb-805.dat	dcrat
behavioral1/files/0x000900000001abfb-806.dat	dcrat
behavioral1/files/0x000900000001abfb-932.dat	dcrat
behavioral1/files/0x000900000001abfb-938.dat	dcrat
behavioral1/files/0x000900000001abfb-943.dat	dcrat
behavioral1/files/0x000900000001abfb-949.dat	dcrat
behavioral1/files/0x000900000001abfb-954.dat	dcrat
behavioral1/files/0x000900000001abfb-960.dat	dcrat
behavioral1/files/0x000900000001abfb-965.dat	dcrat
behavioral1/files/0x000900000001abfb-970.dat	dcrat
behavioral1/files/0x000900000001abfb-976.dat	dcrat
behavioral1/files/0x000900000001abfb-982.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
3248	DllCommonsvc.exe
5376	winlogon.exe
2296	winlogon.exe
6032	winlogon.exe
5588	winlogon.exe
2196	winlogon.exe
5184	winlogon.exe
5580	winlogon.exe
212	winlogon.exe
3916	winlogon.exe
1544	winlogon.exe
4132	winlogon.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\cc11b995f2a76d	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\System.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\fr-FR\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\5b884080fd4f94	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1944	schtasks.exe
3120	schtasks.exe
1432	schtasks.exe
816	schtasks.exe
1896	schtasks.exe
2620	schtasks.exe
3300	schtasks.exe
1940	schtasks.exe
540	schtasks.exe
3916	schtasks.exe
3116	schtasks.exe
4724	schtasks.exe
1840	schtasks.exe
528	schtasks.exe
1824	schtasks.exe
2800	schtasks.exe
4540	schtasks.exe
4876	schtasks.exe
848	schtasks.exe
3264	schtasks.exe
4824	schtasks.exe
824	schtasks.exe
3192	schtasks.exe
680	schtasks.exe
2228	schtasks.exe
4308	schtasks.exe
4748	schtasks.exe
2532	schtasks.exe
216	schtasks.exe
2600	schtasks.exe
524	schtasks.exe
1156	schtasks.exe
244	schtasks.exe
2412	schtasks.exe
4904	schtasks.exe
5024	schtasks.exe
332	schtasks.exe
336	schtasks.exe
4864	schtasks.exe
1252	schtasks.exe
1160	schtasks.exe
5000	schtasks.exe
4424	schtasks.exe
1592	schtasks.exe
5020	schtasks.exe
3456	schtasks.exe
504	schtasks.exe
2308	schtasks.exe
1248	schtasks.exe
1448	schtasks.exe
3212	schtasks.exe
204	schtasks.exe
1480	schtasks.exe
4988	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	21617e86b535bd3e3ab39bb22a1bc42c29b522d5e5ca58940b2d562275cea338.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	DllCommonsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3248	DllCommonsvc.exe
3248	DllCommonsvc.exe
3248	DllCommonsvc.exe
3248	DllCommonsvc.exe
3248	DllCommonsvc.exe
3164	powershell.exe
3164	powershell.exe
3856	powershell.exe
3856	powershell.exe
3964	powershell.exe
3964	powershell.exe
5084	powershell.exe
5084	powershell.exe
4320	powershell.exe
4320	powershell.exe
5112	powershell.exe
5112	powershell.exe
2252	powershell.exe
2252	powershell.exe
4740	powershell.exe
4740	powershell.exe
2372	powershell.exe
2372	powershell.exe
3688	powershell.exe
3688	powershell.exe
3636	powershell.exe
3636	powershell.exe
2772	powershell.exe
2772	powershell.exe
4740	powershell.exe
2016	powershell.exe
2016	powershell.exe
4180	powershell.exe
4180	powershell.exe
4336	powershell.exe
4336	powershell.exe
4256	powershell.exe
4256	powershell.exe
5112	powershell.exe
4320	powershell.exe
3044	powershell.exe
3044	powershell.exe
2252	powershell.exe
4484	powershell.exe
4484	powershell.exe
3688	powershell.exe
3636	powershell.exe
4256	powershell.exe
3044	powershell.exe
4484	powershell.exe
3856	powershell.exe
3856	powershell.exe
3164	powershell.exe
3164	powershell.exe
4740	powershell.exe
3964	powershell.exe
5112	powershell.exe
5112	powershell.exe
3964	powershell.exe
5084	powershell.exe
5084	powershell.exe
2372	powershell.exe
2016	powershell.exe
4180	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3248	DllCommonsvc.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeIncreaseQuotaPrivilege	5112	powershell.exe
Token: SeSecurityPrivilege	5112	powershell.exe
Token: SeTakeOwnershipPrivilege	5112	powershell.exe
Token: SeLoadDriverPrivilege	5112	powershell.exe
Token: SeSystemProfilePrivilege	5112	powershell.exe
Token: SeSystemtimePrivilege	5112	powershell.exe
Token: SeProfSingleProcessPrivilege	5112	powershell.exe
Token: SeIncBasePriorityPrivilege	5112	powershell.exe
Token: SeCreatePagefilePrivilege	5112	powershell.exe
Token: SeBackupPrivilege	5112	powershell.exe
Token: SeRestorePrivilege	5112	powershell.exe
Token: SeShutdownPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeSystemEnvironmentPrivilege	5112	powershell.exe
Token: SeRemoteShutdownPrivilege	5112	powershell.exe
Token: SeUndockPrivilege	5112	powershell.exe
Token: SeManageVolumePrivilege	5112	powershell.exe
Token: 33	5112	powershell.exe
Token: 34	5112	powershell.exe
Token: 35	5112	powershell.exe
Token: 36	5112	powershell.exe
Token: SeIncreaseQuotaPrivilege	4740	powershell.exe
Token: SeSecurityPrivilege	4740	powershell.exe
Token: SeTakeOwnershipPrivilege	4740	powershell.exe
Token: SeLoadDriverPrivilege	4740	powershell.exe
Token: SeSystemProfilePrivilege	4740	powershell.exe
Token: SeSystemtimePrivilege	4740	powershell.exe
Token: SeProfSingleProcessPrivilege	4740	powershell.exe
Token: SeIncBasePriorityPrivilege	4740	powershell.exe
Token: SeCreatePagefilePrivilege	4740	powershell.exe
Token: SeBackupPrivilege	4740	powershell.exe
Token: SeRestorePrivilege	4740	powershell.exe
Token: SeShutdownPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeSystemEnvironmentPrivilege	4740	powershell.exe
Token: SeRemoteShutdownPrivilege	4740	powershell.exe
Token: SeUndockPrivilege	4740	powershell.exe
Token: SeManageVolumePrivilege	4740	powershell.exe
Token: 33	4740	powershell.exe
Token: 34	4740	powershell.exe
Token: 35	4740	powershell.exe
Token: 36	4740	powershell.exe
Token: SeIncreaseQuotaPrivilege	4320	powershell.exe
Token: SeSecurityPrivilege	4320	powershell.exe
Token: SeTakeOwnershipPrivilege	4320	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2880	2416	21617e86b535bd3e3ab39bb22a1bc42c29b522d5e5ca58940b2d562275cea338.exe	66
PID 2416 wrote to memory of 2880	2416	21617e86b535bd3e3ab39bb22a1bc42c29b522d5e5ca58940b2d562275cea338.exe	66
PID 2416 wrote to memory of 2880	2416	21617e86b535bd3e3ab39bb22a1bc42c29b522d5e5ca58940b2d562275cea338.exe	66
PID 2880 wrote to memory of 4516	2880	WScript.exe	67
PID 2880 wrote to memory of 4516	2880	WScript.exe	67
PID 2880 wrote to memory of 4516	2880	WScript.exe	67
PID 4516 wrote to memory of 3248	4516	cmd.exe	69
PID 4516 wrote to memory of 3248	4516	cmd.exe	69
PID 3248 wrote to memory of 2328	3248	DllCommonsvc.exe	125
PID 3248 wrote to memory of 2328	3248	DllCommonsvc.exe	125
PID 3248 wrote to memory of 3964	3248	DllCommonsvc.exe	132
PID 3248 wrote to memory of 3964	3248	DllCommonsvc.exe	132
PID 3248 wrote to memory of 3164	3248	DllCommonsvc.exe	127
PID 3248 wrote to memory of 3164	3248	DllCommonsvc.exe	127
PID 3248 wrote to memory of 3856	3248	DllCommonsvc.exe	128
PID 3248 wrote to memory of 3856	3248	DllCommonsvc.exe	128
PID 3248 wrote to memory of 5084	3248	DllCommonsvc.exe	129
PID 3248 wrote to memory of 5084	3248	DllCommonsvc.exe	129
PID 3248 wrote to memory of 4320	3248	DllCommonsvc.exe	139
PID 3248 wrote to memory of 4320	3248	DllCommonsvc.exe	139
PID 3248 wrote to memory of 5112	3248	DllCommonsvc.exe	134
PID 3248 wrote to memory of 5112	3248	DllCommonsvc.exe	134
PID 3248 wrote to memory of 2252	3248	DllCommonsvc.exe	135
PID 3248 wrote to memory of 2252	3248	DllCommonsvc.exe	135
PID 3248 wrote to memory of 4740	3248	DllCommonsvc.exe	136
PID 3248 wrote to memory of 4740	3248	DllCommonsvc.exe	136
PID 3248 wrote to memory of 2372	3248	DllCommonsvc.exe	141
PID 3248 wrote to memory of 2372	3248	DllCommonsvc.exe	141
PID 3248 wrote to memory of 3688	3248	DllCommonsvc.exe	143
PID 3248 wrote to memory of 3688	3248	DllCommonsvc.exe	143
PID 3248 wrote to memory of 2772	3248	DllCommonsvc.exe	145
PID 3248 wrote to memory of 2772	3248	DllCommonsvc.exe	145
PID 3248 wrote to memory of 3636	3248	DllCommonsvc.exe	150
PID 3248 wrote to memory of 3636	3248	DllCommonsvc.exe	150
PID 3248 wrote to memory of 2016	3248	DllCommonsvc.exe	148
PID 3248 wrote to memory of 2016	3248	DllCommonsvc.exe	148
PID 3248 wrote to memory of 4180	3248	DllCommonsvc.exe	151
PID 3248 wrote to memory of 4180	3248	DllCommonsvc.exe	151
PID 3248 wrote to memory of 4256	3248	DllCommonsvc.exe	160
PID 3248 wrote to memory of 4256	3248	DllCommonsvc.exe	160
PID 3248 wrote to memory of 4336	3248	DllCommonsvc.exe	152
PID 3248 wrote to memory of 4336	3248	DllCommonsvc.exe	152
PID 3248 wrote to memory of 3044	3248	DllCommonsvc.exe	153
PID 3248 wrote to memory of 3044	3248	DllCommonsvc.exe	153
PID 3248 wrote to memory of 4484	3248	DllCommonsvc.exe	157
PID 3248 wrote to memory of 4484	3248	DllCommonsvc.exe	157
PID 3248 wrote to memory of 2308	3248	DllCommonsvc.exe	163
PID 3248 wrote to memory of 2308	3248	DllCommonsvc.exe	163
PID 2308 wrote to memory of 4744	2308	cmd.exe	165
PID 2308 wrote to memory of 4744	2308	cmd.exe	165
PID 2308 wrote to memory of 5376	2308	cmd.exe	167
PID 2308 wrote to memory of 5376	2308	cmd.exe	167
PID 5376 wrote to memory of 5996	5376	winlogon.exe	168
PID 5376 wrote to memory of 5996	5376	winlogon.exe	168
PID 5996 wrote to memory of 6132	5996	cmd.exe	170
PID 5996 wrote to memory of 6132	5996	cmd.exe	170
PID 5996 wrote to memory of 2296	5996	cmd.exe	171
PID 5996 wrote to memory of 2296	5996	cmd.exe	171
PID 2296 wrote to memory of 5748	2296	winlogon.exe	172
PID 2296 wrote to memory of 5748	2296	winlogon.exe	172
PID 5748 wrote to memory of 5576	5748	cmd.exe	174
PID 5748 wrote to memory of 5576	5748	cmd.exe	174
PID 5748 wrote to memory of 6032	5748	cmd.exe	175
PID 5748 wrote to memory of 6032	5748	cmd.exe	175

C:\Users\Admin\AppData\Local\Temp\21617e86b535bd3e3ab39bb22a1bc42c29b522d5e5ca58940b2d562275cea338.exe
"C:\Users\Admin\AppData\Local\Temp\21617e86b535bd3e3ab39bb22a1bc42c29b522d5e5ca58940b2d562275cea338.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        
        PID:2328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lJjcBPjH5n.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2308
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4744
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:6132
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:5576
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"
        11⤵
        
        PID:5484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4800
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"
        13⤵
        
        PID:1832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:5968
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
        15⤵
        
        PID:4996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1432
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat"
        17⤵
        
        PID:1248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:5808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat"
        19⤵
        
        PID:4320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3572
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"
        21⤵
        
        PID:5356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:6136
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"
        23⤵
        
        PID:4024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3012
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"
        25⤵
        
        PID:2232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4380
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe"
        26⤵
        Executes dropped EXE
        
        PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\providercommon\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b70508e2bd7f743a8bad7096e5658da7

SHA1
161d0411eb69644eacab231d7a5998f86253a97e

SHA256
4e8b53a5c60c805e4bc72fb85f87c055300a640bc0c5de47386acdbd0b20ebfd

SHA512
702030bd5d40bb44fc241467db62bc3b6ba2c90fee1abd4788f4fd1a8277cd13331c5e0bc89d4fece3fbd722726e25f5612949de8772dd8972079a1321457ab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b70508e2bd7f743a8bad7096e5658da7

SHA1
161d0411eb69644eacab231d7a5998f86253a97e

SHA256
4e8b53a5c60c805e4bc72fb85f87c055300a640bc0c5de47386acdbd0b20ebfd

SHA512
702030bd5d40bb44fc241467db62bc3b6ba2c90fee1abd4788f4fd1a8277cd13331c5e0bc89d4fece3fbd722726e25f5612949de8772dd8972079a1321457ab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
239d03a66d088db9d445c86af4c79a6f

SHA1
8794c886a36c9b9b1f372d6f0f2eacecd3594dad

SHA256
5e23e1daa1c1655723f043c95fe9fd434255d40278e2c2c57bf1512cdd6fcaca

SHA512
16433647bcc81b5eb0d61433bd299f5a7a347a0c81d026d365a3a300e650edc8998342417c7bf5db1f6c7b373ba7730d799da3a9c14a3eae0794331585e5479e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5fc12ff2470ab42a849e1322a76f52c8

SHA1
c4d4680a5739d92bf5e2e659530d6f0605d98058

SHA256
682550212b75a4d4270ed20759600588e0b61b3a6b322bf333e97033d9f33a33

SHA512
f7d78a6e303da0a4495fe624db973adf1a4f15db80c3f4b66eda12b867a96f30b943fa80daf7eb84409155135ebc4a1ea770b9b86daf54f1e94c8ae86966c0a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5fc12ff2470ab42a849e1322a76f52c8

SHA1
c4d4680a5739d92bf5e2e659530d6f0605d98058

SHA256
682550212b75a4d4270ed20759600588e0b61b3a6b322bf333e97033d9f33a33

SHA512
f7d78a6e303da0a4495fe624db973adf1a4f15db80c3f4b66eda12b867a96f30b943fa80daf7eb84409155135ebc4a1ea770b9b86daf54f1e94c8ae86966c0a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
442e11028360e072349014a3a3065751

SHA1
e5257655ac58f84790355c90f5e2fc0a6271dbf9

SHA256
c895a59c8d83ba649909b5f61687bc7e6ff7c5054f664a20bf87203f54379994

SHA512
5acc6ae330347fe16e72c09ae0342109f7a8bdf5715e9ddc312370edb1579a789e90d717e5fcba0c6ca67c836af9004644bf9d60f255ec75fd057d9da654e388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
442e11028360e072349014a3a3065751

SHA1
e5257655ac58f84790355c90f5e2fc0a6271dbf9

SHA256
c895a59c8d83ba649909b5f61687bc7e6ff7c5054f664a20bf87203f54379994

SHA512
5acc6ae330347fe16e72c09ae0342109f7a8bdf5715e9ddc312370edb1579a789e90d717e5fcba0c6ca67c836af9004644bf9d60f255ec75fd057d9da654e388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
442e11028360e072349014a3a3065751

SHA1
e5257655ac58f84790355c90f5e2fc0a6271dbf9

SHA256
c895a59c8d83ba649909b5f61687bc7e6ff7c5054f664a20bf87203f54379994

SHA512
5acc6ae330347fe16e72c09ae0342109f7a8bdf5715e9ddc312370edb1579a789e90d717e5fcba0c6ca67c836af9004644bf9d60f255ec75fd057d9da654e388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac6c12888744adf1bb1c846dd4e9cc9e

SHA1
50c103966d9fabcd73fe86ecb18b866b53a69461

SHA256
f31778dadef8890f905739b68044a3e35810a4838242338efc251595a99b8e84

SHA512
008c91be89491cb412532b07a2e884ce477f0ed29309f2fcaaaf4292cd634996e9502e649b3e6335fe886dd61bb70065e4e5be157f32f419b8ed5c6a885fc22c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac6c12888744adf1bb1c846dd4e9cc9e

SHA1
50c103966d9fabcd73fe86ecb18b866b53a69461

SHA256
f31778dadef8890f905739b68044a3e35810a4838242338efc251595a99b8e84

SHA512
008c91be89491cb412532b07a2e884ce477f0ed29309f2fcaaaf4292cd634996e9502e649b3e6335fe886dd61bb70065e4e5be157f32f419b8ed5c6a885fc22c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
000da2ca8f8a25e2458f4d792f30ed7a

SHA1
0ddc8b8d90f559dab814e61803a8acd83bd83560

SHA256
4f85a8ca576bfe9809092f30d64652fa8516cb5a354cd48dacb3a74d8cbccc6f

SHA512
91ea44ee7320c1b0ee708ba5405f4e6834102f28ef127b50dda08cfdcf5f4f0b7b67a0cee5e22910e4deb04a1f73f5f12b9dc843609c7123223487574a55e947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a8af341f24a9b89c24d3c70328d7c0ec

SHA1
dfc5a56adb27689b194931586759191ad3536071

SHA256
d10b593c8d6dc67c60f20e940af9826dfafc0d99b3046b33bc8559d27029484b

SHA512
11100c3daef52d710b471c4a352bc91e379e4bff8d7ec772d2ad25bf452eac864e5c073f0557b4d7c312fe877e8cde96c364c6593b9047206d98ec5262beec2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71e47974d2b8ba58408c2411bbcd99f5

SHA1
dc7882c9a2f060c83c971fcdaf623952fdbc003b

SHA256
b89119bc48195d02c491460ff9aa6e9addc7d4e544d62249e36b0ec2adb2277d

SHA512
a229c9df81ec5d1b45fd3872fd5fc9f5bfbdf8538203fc8dad0326ed30cdb078615e95b1c4b075158de6b636f5dc569c6fad7765cd901c5a0456d8b57dd9deff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cae293d7fc524ed3ad234bec575d185d

SHA1
f2f9230c6e4b488b04eae0da5165e06ef619a587

SHA256
5927f0e56f601397ab289d6963a489141ca2230f6fb539271a42fe7b473783a1

SHA512
c49a3ff54290d7a7000c8da52bf079b82274e68d04b414f5bc8c237fb30fe3ea228d035c9126d4a70ecb8a31fa8c1b56fbd463cd7cbf2dd7cb68daa270ccf315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cae293d7fc524ed3ad234bec575d185d

SHA1
f2f9230c6e4b488b04eae0da5165e06ef619a587

SHA256
5927f0e56f601397ab289d6963a489141ca2230f6fb539271a42fe7b473783a1

SHA512
c49a3ff54290d7a7000c8da52bf079b82274e68d04b414f5bc8c237fb30fe3ea228d035c9126d4a70ecb8a31fa8c1b56fbd463cd7cbf2dd7cb68daa270ccf315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2c1be1f718f624a927c9722c9d1c43a1

SHA1
9fbfcb70f3788af6b3ee97cbf5031a1a0323f044

SHA256
a718657149817faef9293d8b9069ac248dedcf1c16ecfcdf0490a79df7e0b014

SHA512
649b932f2f603d7f016db16d405d7c77fe061388b7c5026b2323c9c986784279b350b7fa7deadd3cec942bc3d2f020a4caa4767f6efe462343e49becba03e126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
600f82f44f341ccf2c0b80572cfcbbd4

SHA1
1ab501d115e89b4e34b026aca9a32d135dd4850b

SHA256
f2e1e9f2ccc3cb7c4aeed7a67eba7eaf729bd9e2a3977bf40ad2b37228eab7ee

SHA512
10a98644c0210b75884809355a24673efb83b3ca86aa45cf0c7c97efbebe7c06d264fe39ac9d02b948fcc8001721664be7aa87f7a4256c68e34e236cf0a9b12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat

Filesize
233B

MD5
2f23d59dd769274655a9f23c4289963a

SHA1
ba206914fa9d4231fb75c84c8322c76100305740

SHA256
a9787656e82a90dec4b316309911bfaccf34753e9c3fbb47cd74d421a874dbf7

SHA512
7d428f1d02cf28a4d5aceb99c47ff9565f701e56e2f52a0f6cd43215aeb07653412681f6530eccdc07eba5ef6e801d85a48179b09b5d6cb29c69ac4167e3f15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

Filesize
233B

MD5
1c55711ab6947d62234487b38a8e8482

SHA1
f4a3803dc1896fb8314b68a656de51f58667700e

SHA256
83343ed63b3b82f820db94779783fae97556013c509d5853b5be5915f0e8eeff

SHA512
f50872c37e216edfbf0401b8fa7e4bc0513d27023ca67124679f37c05617471c9d575cb8d115f39925b605a4b318551aff74711b7e26ad8d9fc41b19013333a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat

Filesize
233B

MD5
802303b62349fe00ca3ac0a956228343

SHA1
e8369e28cb4a4855141e949d3b65788d4a309117

SHA256
556a69609bfc6d4ffa8ccaf79bfc442cba67beb07f4e4c26f1ebfa7107074f3f

SHA512
4066efdde5b21c35886289d4aaa7b6cd997355476a5430480003bbafaa1b3d1a3e587a12204e6362f4647adf757273ad2be6b7cadb714a1444120ff856ae6daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat

Filesize
233B

MD5
8b262d5f64cc021b30a90ee22d349d8a

SHA1
b6a56201ebb628e241998e3b6e4af5b99b6b9c56

SHA256
1837b7483b6f29e1e7f621966e00a739d0b5c8a9ae757748d695a89309ff8955

SHA512
42fe89537d7f3e78900bbffe3862e010ae285baac51540b961ecaeacb69e1edf2583a3fed2159401eca7cdb9468c449260dc590b98548324daa9a3efcaa40476

Download Submit
C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat

Filesize
233B

MD5
210c7cb74ac50564b96f7fe6ad8ab816

SHA1
d887a30248d923d6a5f419cae6b6546344d52d4b

SHA256
d30b369404c14795f01a8ab0c28adef19bdf71f0ec54690db7085c8a9c1e0520

SHA512
c7ec79050e42afba2f38adc6aa6c42622a8fef8703a14ccf7fb3b887a6a356a7897585ee3f6e1a291ade093761e17e6303e2d5c97cd2379604282b85ccdb16b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat

Filesize
233B

MD5
c3b6bf77370d8a067562ea3169c13ac5

SHA1
4dd18920206e15f16848839ace1c780f9ae591a1

SHA256
4441f2fd2b48810caaddf7655dbb87214991f4addb78dd7416307b47275b5f1c

SHA512
cfb5de75c86d7859559252c8308174171e46b663ef86f30fe5534cd2f83484894e25498c61d323c363f0ff2e2a4ca44eed0c7120c82b4935ad4c3faf6017a30d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat

Filesize
233B

MD5
7fa44ffe4bf1a4118ed4aa89139d8820

SHA1
5f4fa99abf6127561971f15cc7e4409c2689f54b

SHA256
fca0c6304003484cb74477d51c536cd6739a113b130a7167a4ac13f4b2370d41

SHA512
22330f096e23181437ab5f66403fa29f2d642d4c3aaaa653603068d7182dedb52f1ce36ffd9d1fc052ca895cef051f1bf83e103cbb2e6d40ae9d7766407d2461

Download Submit
C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat

Filesize
233B

MD5
f5cd6f5178a5d4498e19aa33ff64cffb

SHA1
a87a642cb74e2003249dd0e09ca22193493bc860

SHA256
d3ffeffeca3b49aab1ef8d699131bdf6bb1e3e8f4540ec8d1e31551675a7ec23

SHA512
c209c8cb2900e6117276fc98900215976790ab92091341299144de5ca7b68a6650a69351617cea714d91683dc338aa8ee972700d572b9f0ce0c82e6f783cec4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat

Filesize
233B

MD5
5acabbf2d2feba764f1b5975914e089a

SHA1
2cc24bfaccc77281cfd0be01c336e68c4344f02a

SHA256
3ddc78ee8d00e0416979b241a038d8c16dbf890243788285f93027882436e887

SHA512
308cd002cbae4d27c7b3a727f7068ca10256191ffde7c760550bea07a641355d230191564a936aec282443f69db6353ff10b90fff7a4566e085672057455b482

Download Submit
C:\Users\Admin\AppData\Local\Temp\lJjcBPjH5n.bat

Filesize
233B

MD5
5dc4676c35499e16c77836568c6afc19

SHA1
001912e1f328442c868d86df384894953c47f829

SHA256
16908e55ef4b5bf3b68d030eddaaa6cd83cc6d51cae8500f005314fca9bdfc87

SHA512
d88d036ac90baea50881e5a7ddc4cdb466cc7d10cbadec9ad88e7d59636720544defa4316b92229e72c13539c968474abcf4f6df67a159df48fa99874c84761c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat

Filesize
233B

MD5
ef766d767fb10af5f3951e45a35257cc

SHA1
243836e51029c759ca181cafb9f56012df4c5a4f

SHA256
5467b249756360dc0986489cdc54a6b2fd6f71289d005e93d31634c4e1d99e39

SHA512
6b52ff5db9caa35181b19f485ef2caec4c7a55337fdad9c5a2a19c5d2ce2e0109358e67221c168a3c83b3c09602686bc0180ca0691b46e737ec8961297f5825b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1544-977-0x0000000002230000-0x0000000002242000-memory.dmp

Filesize
72KB

Download
memory/2416-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-118-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2416-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2880-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2880-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3164-373-0x00000179B4BB0000-0x00000179B4BD2000-memory.dmp

Filesize
136KB

Download
memory/3248-284-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

Filesize
1.1MB

Download
memory/3248-287-0x000000001B930000-0x000000001B93C000-memory.dmp

Filesize
48KB

Download
memory/3248-285-0x0000000002F30000-0x0000000002F42000-memory.dmp

Filesize
72KB

Download
memory/3248-286-0x0000000002F40000-0x0000000002F4C000-memory.dmp

Filesize
48KB

Download
memory/3248-288-0x000000001B940000-0x000000001B94C000-memory.dmp

Filesize
48KB

Download
memory/3916-971-0x00000000009C0000-0x00000000009D2000-memory.dmp

Filesize
72KB

Download
memory/4132-983-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download
memory/4740-388-0x00000253E0A20000-0x00000253E0A96000-memory.dmp

Filesize
472KB

Download
memory/5184-955-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/5588-944-0x00000000008D0000-0x00000000008E2000-memory.dmp

Filesize
72KB

Download