dcrat | a8d7c26c2e49c9a05c6bd9fbb48b448737beda314a0479be3b41f17d3dc7170c

Analysis

max time kernel
147s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
03/11/2022, 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8d7c26c2e49c9a05c6bd9fbb48b448737beda314a0479be3b41f17d3dc7170c.exe
Size

1.3MB
MD5

2025f8a8b24855efc906d64feb86f480
SHA1

5f4cf2253af2cb4a98f23796f0430af325408105
SHA256

a8d7c26c2e49c9a05c6bd9fbb48b448737beda314a0479be3b41f17d3dc7170c
SHA512

6b2566f870f51d2d917c6eb37c0e118c67fa72d5898615b0e5c883a37aa5f8e531bdbfe3c4d852de6fcf2918fe0f0790e781ca8d9979281c2d8d5cd318bf41bf
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	1852	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	1852	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001abd7-284.dat	dcrat
behavioral1/files/0x000800000001abd7-285.dat	dcrat
behavioral1/memory/3972-286-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/files/0x000600000001abe1-676.dat	dcrat
behavioral1/files/0x000600000001abe1-675.dat	dcrat
behavioral1/files/0x000600000001abe1-899.dat	dcrat
behavioral1/files/0x000600000001abe1-905.dat	dcrat
behavioral1/files/0x000600000001abe1-910.dat	dcrat
behavioral1/files/0x000600000001abe1-915.dat	dcrat
behavioral1/files/0x000600000001abe1-921.dat	dcrat
behavioral1/files/0x000600000001abe1-927.dat	dcrat
behavioral1/files/0x000600000001abe1-933.dat	dcrat
behavioral1/files/0x000600000001abe1-938.dat	dcrat
behavioral1/files/0x000600000001abe1-943.dat	dcrat
behavioral1/files/0x000600000001abe1-949.dat	dcrat
behavioral1/files/0x000600000001abe1-954.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
3972	DllCommonsvc.exe
4648	conhost.exe
5584	conhost.exe
5764	conhost.exe
5940	conhost.exe
6120	conhost.exe
5276	conhost.exe
1332	conhost.exe
1360	conhost.exe
4556	conhost.exe
3568	conhost.exe
308	conhost.exe
4408	conhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\System.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\66fc9ff0ee96c2	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\Registration\CRMLog\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\Web\4K\Wallpaper\Windows\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Web\4K\Wallpaper\Windows\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\Branding\Basebrd\fr-FR\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\Basebrd\fr-FR\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5068	schtasks.exe
3144	schtasks.exe
4480	schtasks.exe
4208	schtasks.exe
2108	schtasks.exe
436	schtasks.exe
220	schtasks.exe
5020	schtasks.exe
1460	schtasks.exe
4588	schtasks.exe
4640	schtasks.exe
2684	schtasks.exe
4656	schtasks.exe
1868	schtasks.exe
2400	schtasks.exe
1888	schtasks.exe
4636	schtasks.exe
4688	schtasks.exe
4516	schtasks.exe
2396	schtasks.exe
4364	schtasks.exe
4532	schtasks.exe
4552	schtasks.exe
2028	schtasks.exe
4408	schtasks.exe
2444	schtasks.exe
3828	schtasks.exe
228	schtasks.exe
3760	schtasks.exe
1800	schtasks.exe
2824	schtasks.exe
4704	schtasks.exe
3468	schtasks.exe
2120	schtasks.exe
3928	schtasks.exe
3292	schtasks.exe
316	schtasks.exe
4620	schtasks.exe
4496	schtasks.exe
1020	schtasks.exe
2092	schtasks.exe
4944	schtasks.exe
1804	schtasks.exe
4528	schtasks.exe
1764	schtasks.exe
1712	schtasks.exe
2136	schtasks.exe
2204	schtasks.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	a8d7c26c2e49c9a05c6bd9fbb48b448737beda314a0479be3b41f17d3dc7170c.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3972	DllCommonsvc.exe
3972	DllCommonsvc.exe
3972	DllCommonsvc.exe
3972	DllCommonsvc.exe
3972	DllCommonsvc.exe
3972	DllCommonsvc.exe
3972	DllCommonsvc.exe
3972	DllCommonsvc.exe
3972	DllCommonsvc.exe
604	powershell.exe
604	powershell.exe
3848	powershell.exe
3848	powershell.exe
2696	powershell.exe
2696	powershell.exe
880	powershell.exe
880	powershell.exe
1172	powershell.exe
1172	powershell.exe
4756	powershell.exe
4756	powershell.exe
1224	powershell.exe
1224	powershell.exe
496	powershell.exe
496	powershell.exe
3836	powershell.exe
3836	powershell.exe
1500	powershell.exe
1500	powershell.exe
3772	powershell.exe
3772	powershell.exe
4920	powershell.exe
4920	powershell.exe
4348	powershell.exe
4348	powershell.exe
4228	powershell.exe
4228	powershell.exe
4232	powershell.exe
4232	powershell.exe
496	powershell.exe
1376	powershell.exe
1376	powershell.exe
3388	powershell.exe
3388	powershell.exe
4228	powershell.exe
604	powershell.exe
604	powershell.exe
3848	powershell.exe
3848	powershell.exe
3836	powershell.exe
4228	powershell.exe
2696	powershell.exe
2696	powershell.exe
1224	powershell.exe
1172	powershell.exe
880	powershell.exe
1172	powershell.exe
880	powershell.exe
4756	powershell.exe
496	powershell.exe
1500	powershell.exe
4348	powershell.exe
3772	powershell.exe
4232	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3972	DllCommonsvc.exe
Token: SeDebugPrivilege	604	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	496	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	4232	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeIncreaseQuotaPrivilege	4228	powershell.exe
Token: SeSecurityPrivilege	4228	powershell.exe
Token: SeTakeOwnershipPrivilege	4228	powershell.exe
Token: SeLoadDriverPrivilege	4228	powershell.exe
Token: SeSystemProfilePrivilege	4228	powershell.exe
Token: SeSystemtimePrivilege	4228	powershell.exe
Token: SeProfSingleProcessPrivilege	4228	powershell.exe
Token: SeIncBasePriorityPrivilege	4228	powershell.exe
Token: SeCreatePagefilePrivilege	4228	powershell.exe
Token: SeBackupPrivilege	4228	powershell.exe
Token: SeRestorePrivilege	4228	powershell.exe
Token: SeShutdownPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeSystemEnvironmentPrivilege	4228	powershell.exe
Token: SeRemoteShutdownPrivilege	4228	powershell.exe
Token: SeUndockPrivilege	4228	powershell.exe
Token: SeManageVolumePrivilege	4228	powershell.exe
Token: 33	4228	powershell.exe
Token: 34	4228	powershell.exe
Token: 35	4228	powershell.exe
Token: 36	4228	powershell.exe
Token: SeIncreaseQuotaPrivilege	496	powershell.exe
Token: SeSecurityPrivilege	496	powershell.exe
Token: SeTakeOwnershipPrivilege	496	powershell.exe
Token: SeLoadDriverPrivilege	496	powershell.exe
Token: SeSystemProfilePrivilege	496	powershell.exe
Token: SeSystemtimePrivilege	496	powershell.exe
Token: SeProfSingleProcessPrivilege	496	powershell.exe
Token: SeIncBasePriorityPrivilege	496	powershell.exe
Token: SeCreatePagefilePrivilege	496	powershell.exe
Token: SeBackupPrivilege	496	powershell.exe
Token: SeRestorePrivilege	496	powershell.exe
Token: SeShutdownPrivilege	496	powershell.exe
Token: SeDebugPrivilege	496	powershell.exe
Token: SeSystemEnvironmentPrivilege	496	powershell.exe
Token: SeRemoteShutdownPrivilege	496	powershell.exe
Token: SeUndockPrivilege	496	powershell.exe
Token: SeManageVolumePrivilege	496	powershell.exe
Token: 33	496	powershell.exe
Token: 34	496	powershell.exe
Token: 35	496	powershell.exe
Token: 36	496	powershell.exe
Token: SeIncreaseQuotaPrivilege	2696	powershell.exe
Token: SeSecurityPrivilege	2696	powershell.exe
Token: SeTakeOwnershipPrivilege	2696	powershell.exe
Token: SeLoadDriverPrivilege	2696	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 4996	1312	a8d7c26c2e49c9a05c6bd9fbb48b448737beda314a0479be3b41f17d3dc7170c.exe	66
PID 1312 wrote to memory of 4996	1312	a8d7c26c2e49c9a05c6bd9fbb48b448737beda314a0479be3b41f17d3dc7170c.exe	66
PID 1312 wrote to memory of 4996	1312	a8d7c26c2e49c9a05c6bd9fbb48b448737beda314a0479be3b41f17d3dc7170c.exe	66
PID 4996 wrote to memory of 2096	4996	WScript.exe	67
PID 4996 wrote to memory of 2096	4996	WScript.exe	67
PID 4996 wrote to memory of 2096	4996	WScript.exe	67
PID 2096 wrote to memory of 3972	2096	cmd.exe	69
PID 2096 wrote to memory of 3972	2096	cmd.exe	69
PID 3972 wrote to memory of 3848	3972	DllCommonsvc.exe	119
PID 3972 wrote to memory of 3848	3972	DllCommonsvc.exe	119
PID 3972 wrote to memory of 604	3972	DllCommonsvc.exe	126
PID 3972 wrote to memory of 604	3972	DllCommonsvc.exe	126
PID 3972 wrote to memory of 2696	3972	DllCommonsvc.exe	120
PID 3972 wrote to memory of 2696	3972	DllCommonsvc.exe	120
PID 3972 wrote to memory of 880	3972	DllCommonsvc.exe	123
PID 3972 wrote to memory of 880	3972	DllCommonsvc.exe	123
PID 3972 wrote to memory of 1172	3972	DllCommonsvc.exe	121
PID 3972 wrote to memory of 1172	3972	DllCommonsvc.exe	121
PID 3972 wrote to memory of 4756	3972	DllCommonsvc.exe	128
PID 3972 wrote to memory of 4756	3972	DllCommonsvc.exe	128
PID 3972 wrote to memory of 1224	3972	DllCommonsvc.exe	129
PID 3972 wrote to memory of 1224	3972	DllCommonsvc.exe	129
PID 3972 wrote to memory of 496	3972	DllCommonsvc.exe	130
PID 3972 wrote to memory of 496	3972	DllCommonsvc.exe	130
PID 3972 wrote to memory of 3836	3972	DllCommonsvc.exe	133
PID 3972 wrote to memory of 3836	3972	DllCommonsvc.exe	133
PID 3972 wrote to memory of 1500	3972	DllCommonsvc.exe	134
PID 3972 wrote to memory of 1500	3972	DllCommonsvc.exe	134
PID 3972 wrote to memory of 3772	3972	DllCommonsvc.exe	149
PID 3972 wrote to memory of 3772	3972	DllCommonsvc.exe	149
PID 3972 wrote to memory of 4920	3972	DllCommonsvc.exe	136
PID 3972 wrote to memory of 4920	3972	DllCommonsvc.exe	136
PID 3972 wrote to memory of 4348	3972	DllCommonsvc.exe	148
PID 3972 wrote to memory of 4348	3972	DllCommonsvc.exe	148
PID 3972 wrote to memory of 4228	3972	DllCommonsvc.exe	138
PID 3972 wrote to memory of 4228	3972	DllCommonsvc.exe	138
PID 3972 wrote to memory of 4232	3972	DllCommonsvc.exe	139
PID 3972 wrote to memory of 4232	3972	DllCommonsvc.exe	139
PID 3972 wrote to memory of 1376	3972	DllCommonsvc.exe	140
PID 3972 wrote to memory of 1376	3972	DllCommonsvc.exe	140
PID 3972 wrote to memory of 3388	3972	DllCommonsvc.exe	142
PID 3972 wrote to memory of 3388	3972	DllCommonsvc.exe	142
PID 3972 wrote to memory of 4460	3972	DllCommonsvc.exe	153
PID 3972 wrote to memory of 4460	3972	DllCommonsvc.exe	153
PID 4460 wrote to memory of 4324	4460	cmd.exe	155
PID 4460 wrote to memory of 4324	4460	cmd.exe	155
PID 4460 wrote to memory of 4648	4460	cmd.exe	157
PID 4460 wrote to memory of 4648	4460	cmd.exe	157
PID 4648 wrote to memory of 2216	4648	conhost.exe	158
PID 4648 wrote to memory of 2216	4648	conhost.exe	158
PID 2216 wrote to memory of 5136	2216	cmd.exe	160
PID 2216 wrote to memory of 5136	2216	cmd.exe	160
PID 2216 wrote to memory of 5584	2216	cmd.exe	161
PID 2216 wrote to memory of 5584	2216	cmd.exe	161
PID 5584 wrote to memory of 5688	5584	conhost.exe	162
PID 5584 wrote to memory of 5688	5584	conhost.exe	162
PID 5688 wrote to memory of 5744	5688	cmd.exe	164
PID 5688 wrote to memory of 5744	5688	cmd.exe	164
PID 5688 wrote to memory of 5764	5688	cmd.exe	165
PID 5688 wrote to memory of 5764	5688	cmd.exe	165
PID 5764 wrote to memory of 5860	5764	conhost.exe	166
PID 5764 wrote to memory of 5860	5764	conhost.exe	166
PID 5860 wrote to memory of 5916	5860	cmd.exe	168
PID 5860 wrote to memory of 5916	5860	cmd.exe	168

C:\Users\Admin\AppData\Local\Temp\a8d7c26c2e49c9a05c6bd9fbb48b448737beda314a0479be3b41f17d3dc7170c.exe
"C:\Users\Admin\AppData\Local\Temp\a8d7c26c2e49c9a05c6bd9fbb48b448737beda314a0479be3b41f17d3dc7170c.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\4K\Wallpaper\Windows\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\Basebrd\fr-FR\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4fMT0wY0n5.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4460
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4324
      - C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5136
        
        C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:5744
        
        C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:5916
        
        C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"
        13⤵
        
        PID:6040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:6096
        
        C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat"
        15⤵
        
        PID:1020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:5256
        
        C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat"
        17⤵
        
        PID:432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:5444
        
        C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9EVEWoB6gn.bat"
        19⤵
        
        PID:4800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2180
        
        C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat"
        21⤵
        
        PID:4472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2016
        
        C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat"
        23⤵
        
        PID:1596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4228
        
        C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat"
        25⤵
        
        PID:5280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2348
        
        C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe"
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"
        27⤵
        
        PID:2028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1144
        
        C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe"
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"
        29⤵
        
        PID:1336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Saved Games\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Saved Games\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\Roaming\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\AppData\Roaming\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\4K\Wallpaper\Windows\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Web\4K\Wallpaper\Windows\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\4K\Wallpaper\Windows\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\Basebrd\fr-FR\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\Basebrd\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\odt\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ab670d61b22fe8256ec357d0f2722a29

SHA1
5777605a86bebb2ebc095b75dd3666cad69ef41a

SHA256
50197d6afddc361f18525096dd9b0d1195cb3cdd876084a5802ab4cf5f31a4f6

SHA512
41b629a61129ba9fb196a6cc45e8903b50f0feaf6b60aa64683ccfcc1c7e95847302f6e012e17f17cb74355dee79bcd363745da6f3a8597d3ad669c48c9fdab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
80e11e464bece50d73583de7c45e413d

SHA1
b68013491155ef987038b01bf69f95d8cc665f68

SHA256
ce0f3eeb53c7ea70568ac99290d2a06ee53c90dbf4f942b8f0cf3fd9984d7a82

SHA512
f71bbd228f518e3ee2eeeb532152e56f40231ae50740ad1cd0731794a6cb2d4c6f53cc8167255eccb1882040495726734e54b95a9e2dc7c2025c53ab173393ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
80e11e464bece50d73583de7c45e413d

SHA1
b68013491155ef987038b01bf69f95d8cc665f68

SHA256
ce0f3eeb53c7ea70568ac99290d2a06ee53c90dbf4f942b8f0cf3fd9984d7a82

SHA512
f71bbd228f518e3ee2eeeb532152e56f40231ae50740ad1cd0731794a6cb2d4c6f53cc8167255eccb1882040495726734e54b95a9e2dc7c2025c53ab173393ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e05fd5557ea33dbfaf1a737f19fbeaa

SHA1
1e2c55925772378d1e8c72266c0f26b2a877d672

SHA256
3eb2728542cd6f4d4e04364f0d4505ca2fa68c6e85d07226842a3bd64764ac25

SHA512
7d63d2e66b13cadfc75dd7d018f17f8c5f0654899f4855b1d8b4b0f7fff5d71e0943785b48046ece47d8a8ac7b9336003ec69af02e29dad6ea35cb91f7519d52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e05fd5557ea33dbfaf1a737f19fbeaa

SHA1
1e2c55925772378d1e8c72266c0f26b2a877d672

SHA256
3eb2728542cd6f4d4e04364f0d4505ca2fa68c6e85d07226842a3bd64764ac25

SHA512
7d63d2e66b13cadfc75dd7d018f17f8c5f0654899f4855b1d8b4b0f7fff5d71e0943785b48046ece47d8a8ac7b9336003ec69af02e29dad6ea35cb91f7519d52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9264e0535671aa14a0efbd470f0b853c

SHA1
abb6cf0ef5c2152d2866672e025c59d8ed946ca3

SHA256
24ffa36a4be4fe8cfb24964e4c3b1d028910899c8b68387a93cc954d8c39f7b4

SHA512
c24466846abec687de1d3eb0a016b1a761deaf4a6da26ec53e652d2195eef994f74a975f9274e9d302f140ca0053f383b9fb267696a411e85c16d78238321757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
296a053a42218c0d2e282fdae3f4842c

SHA1
09b4d8ef1e709c8f79ba3d8da8d7eb288ff6179c

SHA256
07465cbc0d11ba3208ef83dd7a02ab813ce117c6d5316299fd937ee3d54e2a8c

SHA512
08841e155d765052932d36ee3c9b5088806175294c7612480d48363035764b3e73ef1ea47d2db2610a2d9aca1438e4831b3fc0d46930efa3063230efd6fc526d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
296a053a42218c0d2e282fdae3f4842c

SHA1
09b4d8ef1e709c8f79ba3d8da8d7eb288ff6179c

SHA256
07465cbc0d11ba3208ef83dd7a02ab813ce117c6d5316299fd937ee3d54e2a8c

SHA512
08841e155d765052932d36ee3c9b5088806175294c7612480d48363035764b3e73ef1ea47d2db2610a2d9aca1438e4831b3fc0d46930efa3063230efd6fc526d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
296a053a42218c0d2e282fdae3f4842c

SHA1
09b4d8ef1e709c8f79ba3d8da8d7eb288ff6179c

SHA256
07465cbc0d11ba3208ef83dd7a02ab813ce117c6d5316299fd937ee3d54e2a8c

SHA512
08841e155d765052932d36ee3c9b5088806175294c7612480d48363035764b3e73ef1ea47d2db2610a2d9aca1438e4831b3fc0d46930efa3063230efd6fc526d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
45ff6762f90b1c5b9a77f123ea0a16c2

SHA1
2a439acf15b7f3646795e93632e1edea39169b2d

SHA256
7cf1b8364bb44853fad4f0ea205bf5b2eaddddb0db9f3ae9a2555ddef9932362

SHA512
6156ef17c4fba0ccc8c10ba9be251f1d5ba6ec01e4c339a4e2820f3b0976ac5bec773cd996a864a5237d80f23e0ca83c347a3463c2cd5c18f6a6ffd4bc413aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
45ff6762f90b1c5b9a77f123ea0a16c2

SHA1
2a439acf15b7f3646795e93632e1edea39169b2d

SHA256
7cf1b8364bb44853fad4f0ea205bf5b2eaddddb0db9f3ae9a2555ddef9932362

SHA512
6156ef17c4fba0ccc8c10ba9be251f1d5ba6ec01e4c339a4e2820f3b0976ac5bec773cd996a864a5237d80f23e0ca83c347a3463c2cd5c18f6a6ffd4bc413aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cd4f44b6a5131986076fbe0a6a2462bf

SHA1
2a9fef0a6b510a7763caa86895832387d17dd13d

SHA256
93371c7aa8b563d431e41032bd299021b0cce5728c1ad8fb168279ed5d1e6728

SHA512
b3b5cf47cf903d6df889239ca4a4e93de4715d0f37d1541747b6cc1600695477de8a3691c88c208e69ebc4eddf2bd905d02b80d2c254f9282fc5b85d00328400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cd4f44b6a5131986076fbe0a6a2462bf

SHA1
2a9fef0a6b510a7763caa86895832387d17dd13d

SHA256
93371c7aa8b563d431e41032bd299021b0cce5728c1ad8fb168279ed5d1e6728

SHA512
b3b5cf47cf903d6df889239ca4a4e93de4715d0f37d1541747b6cc1600695477de8a3691c88c208e69ebc4eddf2bd905d02b80d2c254f9282fc5b85d00328400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59dfa20b6f3b49589dbb429b67637934

SHA1
22e0abe522ef5a71e7e6367cce7fe22f249c5f29

SHA256
33015bd9e09df26c7afc6c4d546b91a66e98bf3d75d7b0bd6edbde97ca212c0b

SHA512
5b4e963fa8a6ffa68f35c7d0f9f37466af5306cf95135576962c955c2f0a8279e0f74277bd2a3bac54101120f671f15a1cb41aa99fd76a26e7637d9f44507cef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7297b9ca25cefad31694be0762d5c471

SHA1
47c576fac82e5559a3ab94989c089aaf38bb5b59

SHA256
e986b9a0cffd45fc7488ae09c74abab3b2c8a11197c8574749def74ec7109d6e

SHA512
5174ad3d54bea992cf46789c39d8c430645030319d7a2359a99f8d389932af88e7d81ef82fe3f9b62b08af3f5545c45a126c80a03ecc94e6b7d3a15292e7cc58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7297b9ca25cefad31694be0762d5c471

SHA1
47c576fac82e5559a3ab94989c089aaf38bb5b59

SHA256
e986b9a0cffd45fc7488ae09c74abab3b2c8a11197c8574749def74ec7109d6e

SHA512
5174ad3d54bea992cf46789c39d8c430645030319d7a2359a99f8d389932af88e7d81ef82fe3f9b62b08af3f5545c45a126c80a03ecc94e6b7d3a15292e7cc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat

Filesize
226B

MD5
4176530c76ac692e0db460abf4256968

SHA1
a8a0721885bef63556752b36545221b9f432c3da

SHA256
5965ec0dac9171fedb25e5949ef112ddc0b8f2018ecdb0819a95947a55840dc1

SHA512
3485fe7e52d90ed596f55f37337958625d3bccb0da274f2497250ff2a9e31e81cb6c329c625a21253baf26af2cb1ae5d5d2ae211546b4d18c467ced548d22b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fMT0wY0n5.bat

Filesize
226B

MD5
701e0c0bec2ca65ac09659bffaf6a5bc

SHA1
b0f0f0b15526821559100bcaace80dec952c6a0b

SHA256
f60ee34616d8f9cae5ea20bb1591c92891efede7cb57eeebc9e7d7e37167e79c

SHA512
27e5c5e99ec8f7b96e81e2753c5c39834a2d1b6d7dd70b731d5724aacc770c4b196431f1ad2cb5b441e7936615c67ac0b7a68036d03bf61cd8aa3a6c6316b7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat

Filesize
226B

MD5
04a436ee9ecd798530a6bbb6dd081fc6

SHA1
850dac4dd1de99319351b3caea748916db56db13

SHA256
b99cdd07ede1b044c35d36ed69d9a0eb1f8053020888197304ca686aeaa56a74

SHA512
e53437d391a9bf74e02faf67be083ca0f58292938335e1ba4a4cefaedcf98f78ec0fd69291ca809d43890462ba092eb6916f285d882729a4d88f2bc8b748477d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat

Filesize
226B

MD5
3e326d879561810771d4b9fda2680cc9

SHA1
b088044d4498bc982e6346ca712236d710286129

SHA256
5417e80d8546fca0e1f4ef0ba44c45f4be0f392a759a8c9820bcb9c7ce238bf5

SHA512
355fd32e0e6e6e455c6cdff920a600e02aadea5aba2a6cc4033f30d18b6d0f9c925fe971f13e147d4b4f1bbe48b141f66140b44e924bbad718423a20a22aa312

Download Submit
C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat

Filesize
226B

MD5
a65171565a35b0c2cf6a783224dc28ad

SHA1
58fd50716fd7df4088085e3cbacf53d0086f3148

SHA256
99fded1be90d9c33cd3fb0f327e85d8d209399cbd4ef5ac5e8711287403a47e4

SHA512
b2bd11a0168836ce0e3968bc0e307babdf984fdccd604779e1b51cea499a6c4e76284a6f69b78c4b9b74c0648129f3761a5d7a43b686dd8b35c021447cbfaf02

Download Submit
C:\Users\Admin\AppData\Local\Temp\9EVEWoB6gn.bat

Filesize
226B

MD5
dda1dbd635eb390e053fb9528bf0bdf7

SHA1
d37bf8095725ea2bf29261cb0c33ac94eee8c51c

SHA256
7fab919c51875cdfaf5e62bd805a38f2f4e77a30daeec7846fbe4940d48477ff

SHA512
0a0523def0d55831c1aa50fd2b87e6b28e4e5dbe8b71e1502a5133f5716f25981549e1eb923282c9548dac28524b87cf976f5c01955f1a07f73b4d9cf9a773cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat

Filesize
226B

MD5
531ad2fcfbf67549c257b84edf4d955c

SHA1
fb689fa8f5d28a46b57ff28b586813fd74840bba

SHA256
26c69f8714caf1e5c93b77365d4a170397142c62f542c747c46469699638b603

SHA512
903e91e4a77836d8a3fe70780e5717f666079f2ab0f064679457441802b68ff6935cd07c97c5a22938ee40f15cb963a55378bc0d5e58bad9bc3e53ee8c5da687

Download Submit
C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat

Filesize
226B

MD5
e7d06c10c955cb20640230ff1cc8bd02

SHA1
e2fced92a146294a7fb74bcb8f6d5eeb1f21722a

SHA256
faba211ec7697d28bff6352e8737fcee5afa2c1e19d0f3da5a0451b6e8fad90e

SHA512
ed80dd2cf1c2a6488bb82ab29bee7e8e3772a0586ab11f4d5f18e375a9bd0511f824c581ba242f72e2fa1c0b92c3814263db2c9c388f349725e3e13f52aa75c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat

Filesize
226B

MD5
efd8322078d1ffe08f84f59b41a69095

SHA1
63f45f6a350987681e99785e68533738f58361ea

SHA256
2ef85255053c5f7a8d894b9930e490621c43812ced17dd0fdf82319c9e0dd2d1

SHA512
bd87e7c32126e34fe9e5733013b5cf91ceaec8d5ad5931419f32e72576bbed3f930856737b00849c6fdccac55de5fb2bedba934e840863a4669498cfc01650f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat

Filesize
226B

MD5
345844bbfc969d956f952c6e02c46775

SHA1
2f10053a79e4985ebfa1f0182148611a66268cfc

SHA256
252cb0a99550b23f2271ab221f7886f119c88f96e503c1f154a2c81c4d14c773

SHA512
e1612f4e5c5a24244209c77493641587c6737e7830771fce3d92fa5b642256717627ac9af990a9f7beb3890ad0b83784800ca06f5f9ce0f971931457fed9cc4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat

Filesize
226B

MD5
28f9250c9bf955c547292d995f0109f3

SHA1
84cbb1b9fdf2a7e20a188bed4a528debcf9a31a3

SHA256
f1418891e174e66f48f9e64ccd54ae702a5afbb64ac1d61cdbd4140d11bcbdf4

SHA512
487dfdce9d107d8b4a346d303b36a5942d72d6dba320a48ec31c282e627bc017dfe4f0af5163a96e683ceb931d3bcda1684383cde40f9da826193af70602f359

Download Submit
C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat

Filesize
226B

MD5
8e7d79423337a51cdc159d140f73b989

SHA1
e3b11956b7469324b514fdc6bdd26340685e422f

SHA256
357310f80b911164d68b4b14e35a9e8b8a4c8e94814683244d198367f59bbe38

SHA512
711eddf672a4d315385ea9ddcd6800fe077aeb010e70a44d712d82340841c0bf747fa3d806243332e371787665616cf59e6697590d48814574b9c5eee9065fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat

Filesize
226B

MD5
381776e86fb8920e5229a44aaf98ded0

SHA1
166d7f8c7d9409dbea777eacb4ac49c7425eac77

SHA256
40cf82a1e6ace05ba9b745642977570e9959af07d4d3daa713e52db79025fbc0

SHA512
b788e4d7b4d4584a61435d509385e23e77c3a241a34df458d19a51e6a63ca38b9397eaa017903510eb295678139d7a44110d78f9ddf6ff08e2e335c7314bc030

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/604-373-0x0000020E03EE0000-0x0000020E03F02000-memory.dmp

Filesize
136KB

Download
memory/1312-167-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-151-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-182-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-183-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-121-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-122-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-123-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-180-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-179-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-125-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-126-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-178-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-177-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-128-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-129-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-130-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-132-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-131-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-133-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-176-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-134-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-175-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-172-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-135-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-174-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-181-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-136-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-138-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-139-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-141-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-142-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-143-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-140-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-137-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-173-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-144-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-171-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-145-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-170-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-146-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-147-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-169-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-168-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-148-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-149-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-120-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-150-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-166-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-165-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-164-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-163-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-162-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-161-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-160-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-159-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-158-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-157-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-156-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-155-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-154-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-153-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1312-152-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1332-928-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/3568-944-0x0000000000A30000-0x0000000000A42000-memory.dmp

Filesize
72KB

Download
memory/3972-288-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

Filesize
48KB

Download
memory/3972-286-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/3972-287-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

Filesize
72KB

Download
memory/3972-289-0x00000000024D0000-0x00000000024DC000-memory.dmp

Filesize
48KB

Download
memory/3972-290-0x00000000024E0000-0x00000000024EC000-memory.dmp

Filesize
48KB

Download
memory/4228-381-0x000001B7D0530000-0x000001B7D05A6000-memory.dmp

Filesize
472KB

Download
memory/4408-955-0x0000000000E60000-0x0000000000E72000-memory.dmp

Filesize
72KB

Download
memory/4648-729-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/4996-185-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/4996-186-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/5276-922-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/6120-916-0x0000000001370000-0x0000000001382000-memory.dmp

Filesize
72KB

Download