dcrat | 7ab0f841170882abb0ddac1c429e59c13e5a73c903408560bd2b2fbca4fe257d

Analysis

max time kernel
153s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2022 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ab0f841170882abb0ddac1c429e59c13e5a73c903408560bd2b2fbca4fe257d.exe
Size

1.3MB
MD5

7dc30255b9c525bfb0e1a1036eb7a9b0
SHA1

3a3f2cba723fee9de8df596791b08a79dccf218d
SHA256

7ab0f841170882abb0ddac1c429e59c13e5a73c903408560bd2b2fbca4fe257d
SHA512

63c71d4a0dd4830bb990362c013b1db2f9ff9dda6a3494a5fd5209c47712b4a580daa27acbe4cd360fdfd921d280369bc57ad040a3b060716164ad1b16755048
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	364	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	3572	schtasks.exe	68
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	3572	schtasks.exe	68

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000022e65-137.dat	dcrat
behavioral1/files/0x0006000000022e65-138.dat	dcrat
behavioral1/memory/3540-139-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/files/0x0006000000022e65-167.dat	dcrat
behavioral1/files/0x000a000000022e7a-240.dat	dcrat
behavioral1/files/0x000a000000022e7a-239.dat	dcrat
behavioral1/files/0x000a000000022e7a-247.dat	dcrat
behavioral1/files/0x000a000000022e7a-255.dat	dcrat
behavioral1/files/0x000a000000022e7a-262.dat	dcrat
behavioral1/files/0x000a000000022e7a-269.dat	dcrat
behavioral1/files/0x000a000000022e7a-276.dat	dcrat
behavioral1/files/0x000a000000022e7a-283.dat	dcrat
behavioral1/files/0x000a000000022e7a-290.dat	dcrat
behavioral1/files/0x000a000000022e7a-297.dat	dcrat

Executes dropped EXE 11 IoCs

pid	Process
3540	DllCommonsvc.exe
3944	DllCommonsvc.exe
4452	smss.exe
3248	smss.exe
2372	smss.exe
5088	smss.exe
692	smss.exe
3016	smss.exe
1824	smss.exe
2008	smss.exe
1144	smss.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	7ab0f841170882abb0ddac1c429e59c13e5a73c903408560bd2b2fbca4fe257d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\sihost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\f3b6ecef712a24	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\INF\wsearchidxpi\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\INF\wsearchidxpi\5b884080fd4f94	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
768	schtasks.exe
928	schtasks.exe
1888	schtasks.exe
396	schtasks.exe
4208	schtasks.exe
4224	schtasks.exe
4684	schtasks.exe
720	schtasks.exe
212	schtasks.exe
4280	schtasks.exe
4492	schtasks.exe
4816	schtasks.exe
2716	schtasks.exe
1104	schtasks.exe
5008	schtasks.exe
3180	schtasks.exe
3012	schtasks.exe
4952	schtasks.exe
3364	schtasks.exe
4028	schtasks.exe
4152	schtasks.exe
4960	schtasks.exe
4744	schtasks.exe
1492	schtasks.exe
2624	schtasks.exe
364	schtasks.exe
4448	schtasks.exe
1412	schtasks.exe
4744	schtasks.exe
3464	schtasks.exe
2036	schtasks.exe
3284	schtasks.exe
3388	schtasks.exe
4624	schtasks.exe
1520	schtasks.exe
3636	schtasks.exe
3972	schtasks.exe
1972	schtasks.exe
4092	schtasks.exe
4808	schtasks.exe
4728	schtasks.exe
3344	schtasks.exe
4144	schtasks.exe
5112	schtasks.exe
4920	schtasks.exe
344	schtasks.exe
3984	schtasks.exe
1504	schtasks.exe
4396	schtasks.exe
1516	schtasks.exe
4616	schtasks.exe
1344	schtasks.exe
3968	schtasks.exe
2320	schtasks.exe
5096	schtasks.exe
380	schtasks.exe
4824	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	7ab0f841170882abb0ddac1c429e59c13e5a73c903408560bd2b2fbca4fe257d.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	smss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3540	DllCommonsvc.exe
3540	DllCommonsvc.exe
3540	DllCommonsvc.exe
3540	DllCommonsvc.exe
3540	DllCommonsvc.exe
3540	DllCommonsvc.exe
3540	DllCommonsvc.exe
3540	DllCommonsvc.exe
3540	DllCommonsvc.exe
3540	DllCommonsvc.exe
2408	powershell.exe
4416	powershell.exe
3744	powershell.exe
4976	powershell.exe
3248	powershell.exe
2408	powershell.exe
4416	powershell.exe
3248	powershell.exe
3744	powershell.exe
4976	powershell.exe
3944	DllCommonsvc.exe
3944	DllCommonsvc.exe
3944	DllCommonsvc.exe
3944	DllCommonsvc.exe
3944	DllCommonsvc.exe
3944	DllCommonsvc.exe
3944	DllCommonsvc.exe
3944	DllCommonsvc.exe
3944	DllCommonsvc.exe
3944	DllCommonsvc.exe
3944	DllCommonsvc.exe
3944	DllCommonsvc.exe
1344	powershell.exe
2064	TrustedInstaller.exe
2064	TrustedInstaller.exe
4808	powershell.exe
4808	powershell.exe
1960	powershell.exe
1960	powershell.exe
4396	powershell.exe
4396	powershell.exe
344	powershell.exe
344	powershell.exe
4384	powershell.exe
4384	powershell.exe
4304	powershell.exe
4304	powershell.exe
1644	powershell.exe
1644	powershell.exe
4672	powershell.exe
4672	powershell.exe
3160	powershell.exe
3160	powershell.exe
2200	powershell.exe
2200	powershell.exe
1468	powershell.exe
1468	powershell.exe
2148	powershell.exe
2148	powershell.exe
2408	powershell.exe
2408	powershell.exe
2232	powershell.exe
2232	powershell.exe
1344	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	3540	DllCommonsvc.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	3944	DllCommonsvc.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	2064	TrustedInstaller.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	4452	smss.exe
Token: SeDebugPrivilege	3248	smss.exe
Token: SeDebugPrivilege	2372	smss.exe
Token: SeDebugPrivilege	5088	smss.exe
Token: SeDebugPrivilege	692	smss.exe
Token: SeDebugPrivilege	3016	smss.exe
Token: SeDebugPrivilege	1824	smss.exe
Token: SeDebugPrivilege	2008	smss.exe
Token: SeDebugPrivilege	1144	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 4908	2268	7ab0f841170882abb0ddac1c429e59c13e5a73c903408560bd2b2fbca4fe257d.exe	80
PID 2268 wrote to memory of 4908	2268	7ab0f841170882abb0ddac1c429e59c13e5a73c903408560bd2b2fbca4fe257d.exe	80
PID 2268 wrote to memory of 4908	2268	7ab0f841170882abb0ddac1c429e59c13e5a73c903408560bd2b2fbca4fe257d.exe	80
PID 4908 wrote to memory of 3596	4908	WScript.exe	81
PID 4908 wrote to memory of 3596	4908	WScript.exe	81
PID 4908 wrote to memory of 3596	4908	WScript.exe	81
PID 3596 wrote to memory of 3540	3596	cmd.exe	83
PID 3596 wrote to memory of 3540	3596	cmd.exe	83
PID 3540 wrote to memory of 4976	3540	DllCommonsvc.exe	96
PID 3540 wrote to memory of 4976	3540	DllCommonsvc.exe	96
PID 3540 wrote to memory of 2408	3540	DllCommonsvc.exe	97
PID 3540 wrote to memory of 2408	3540	DllCommonsvc.exe	97
PID 3540 wrote to memory of 4416	3540	DllCommonsvc.exe	105
PID 3540 wrote to memory of 4416	3540	DllCommonsvc.exe	105
PID 3540 wrote to memory of 3744	3540	DllCommonsvc.exe	100
PID 3540 wrote to memory of 3744	3540	DllCommonsvc.exe	100
PID 3540 wrote to memory of 3248	3540	DllCommonsvc.exe	101
PID 3540 wrote to memory of 3248	3540	DllCommonsvc.exe	101
PID 3540 wrote to memory of 2120	3540	DllCommonsvc.exe	106
PID 3540 wrote to memory of 2120	3540	DllCommonsvc.exe	106
PID 2120 wrote to memory of 3884	2120	cmd.exe	108
PID 2120 wrote to memory of 3884	2120	cmd.exe	108
PID 2120 wrote to memory of 3944	2120	cmd.exe	109
PID 2120 wrote to memory of 3944	2120	cmd.exe	109
PID 3944 wrote to memory of 1344	3944	DllCommonsvc.exe	157
PID 3944 wrote to memory of 1344	3944	DllCommonsvc.exe	157
PID 3944 wrote to memory of 2064	3944	DllCommonsvc.exe	196
PID 3944 wrote to memory of 2064	3944	DllCommonsvc.exe	196
PID 3944 wrote to memory of 4808	3944	DllCommonsvc.exe	159
PID 3944 wrote to memory of 4808	3944	DllCommonsvc.exe	159
PID 3944 wrote to memory of 1960	3944	DllCommonsvc.exe	160
PID 3944 wrote to memory of 1960	3944	DllCommonsvc.exe	160
PID 3944 wrote to memory of 4396	3944	DllCommonsvc.exe	161
PID 3944 wrote to memory of 4396	3944	DllCommonsvc.exe	161
PID 3944 wrote to memory of 344	3944	DllCommonsvc.exe	162
PID 3944 wrote to memory of 344	3944	DllCommonsvc.exe	162
PID 3944 wrote to memory of 4384	3944	DllCommonsvc.exe	163
PID 3944 wrote to memory of 4384	3944	DllCommonsvc.exe	163
PID 3944 wrote to memory of 4304	3944	DllCommonsvc.exe	166
PID 3944 wrote to memory of 4304	3944	DllCommonsvc.exe	166
PID 3944 wrote to memory of 1644	3944	DllCommonsvc.exe	168
PID 3944 wrote to memory of 1644	3944	DllCommonsvc.exe	168
PID 3944 wrote to memory of 4672	3944	DllCommonsvc.exe	169
PID 3944 wrote to memory of 4672	3944	DllCommonsvc.exe	169
PID 3944 wrote to memory of 3160	3944	DllCommonsvc.exe	186
PID 3944 wrote to memory of 3160	3944	DllCommonsvc.exe	186
PID 3944 wrote to memory of 1468	3944	DllCommonsvc.exe	171
PID 3944 wrote to memory of 1468	3944	DllCommonsvc.exe	171
PID 3944 wrote to memory of 2200	3944	DllCommonsvc.exe	183
PID 3944 wrote to memory of 2200	3944	DllCommonsvc.exe	183
PID 3944 wrote to memory of 2148	3944	DllCommonsvc.exe	173
PID 3944 wrote to memory of 2148	3944	DllCommonsvc.exe	173
PID 3944 wrote to memory of 2408	3944	DllCommonsvc.exe	174
PID 3944 wrote to memory of 2408	3944	DllCommonsvc.exe	174
PID 3944 wrote to memory of 2232	3944	DllCommonsvc.exe	175
PID 3944 wrote to memory of 2232	3944	DllCommonsvc.exe	175
PID 3944 wrote to memory of 3456	3944	DllCommonsvc.exe	180
PID 3944 wrote to memory of 3456	3944	DllCommonsvc.exe	180
PID 3456 wrote to memory of 2392	3456	cmd.exe	192
PID 3456 wrote to memory of 2392	3456	cmd.exe	192
PID 3456 wrote to memory of 4452	3456	cmd.exe	195
PID 3456 wrote to memory of 4452	3456	cmd.exe	195
PID 4452 wrote to memory of 380	4452	smss.exe	198
PID 4452 wrote to memory of 380	4452	smss.exe	198

C:\Users\Admin\AppData\Local\Temp\7ab0f841170882abb0ddac1c429e59c13e5a73c903408560bd2b2fbca4fe257d.exe
"C:\Users\Admin\AppData\Local\Temp\7ab0f841170882abb0ddac1c429e59c13e5a73c903408560bd2b2fbca4fe257d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kFkE7A6RC8.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2120
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3884
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        7⤵
        
        PID:2064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\fontdrvhost.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\es-ES\sppsvc.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\spoolsv.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\wsearchidxpi\fontdrvhost.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\spoolsv.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\sppsvc.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zub855hI4s.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2392
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat"
        9⤵
        
        PID:380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3960
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMOyPGkKXB.bat"
        11⤵
        
        PID:960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1100
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0x9T38u1li.bat"
        13⤵
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:100
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PeSwWR6joe.bat"
        15⤵
        
        PID:4760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4916
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RaUzDWAd8R.bat"
        17⤵
        
        PID:1356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2408
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QVLs15dYuc.bat"
        19⤵
        
        PID:2624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2692
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat"
        21⤵
        
        PID:2640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4128
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat"
        23⤵
        
        PID:4452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4964
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Videos\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Videos\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\INF\wsearchidxpi\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\INF\wsearchidxpi\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\INF\wsearchidxpi\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Recent\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Recent\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a37e740bc11f3d77213573976b685c33

SHA1
52c48b34355960d3e4c26c15e217926caee46cb7

SHA256
a71f16048f76817d8a5a1c86ba1d713519ca68896b58f8647b56ae29d43066e2

SHA512
14b45ac11ffd2f5b1785e10e327d12e871ce0aaf89b881ddf90d4bc0825eeb5373d4fa6e29e6f0db57ede36b0c8c015c380c03d5efd8db98bb5f3e7434b7f57f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2297d8c8249bd58f1603d645778049b4

SHA1
0bc8812a34e12b4e6b9c42ec89374a5873206ebd

SHA256
77232a4c2ff52023ad57a997d05ff0057ad7340df932b132223dcf559109b66b

SHA512
39a1dc3cda029657593a4882536a06380eb3b867d24d2fcee6dd834d4f08467524c6c2f3d8e89372207c3e4cd70a879abdaddfe0b89c0dfa02bf1c77946512a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8d9b95fdab142bb52f794b152e9b8230

SHA1
badb1d4568eb62dca12181d0c7fb093779c9a4de

SHA256
b2b0ff5c6f0f0bbe286910bc2424d7b747fce3b7d7609cc6434aea99372aaa39

SHA512
3f05056bdec2e72f1342f45639c5a89aa175a3a4fdb8494dda31b346faf970b10cc0ab322533514d8f5b591e051a2a35595b0448918e25dbbc6cf02854276b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8d9b95fdab142bb52f794b152e9b8230

SHA1
badb1d4568eb62dca12181d0c7fb093779c9a4de

SHA256
b2b0ff5c6f0f0bbe286910bc2424d7b747fce3b7d7609cc6434aea99372aaa39

SHA512
3f05056bdec2e72f1342f45639c5a89aa175a3a4fdb8494dda31b346faf970b10cc0ab322533514d8f5b591e051a2a35595b0448918e25dbbc6cf02854276b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8d9b95fdab142bb52f794b152e9b8230

SHA1
badb1d4568eb62dca12181d0c7fb093779c9a4de

SHA256
b2b0ff5c6f0f0bbe286910bc2424d7b747fce3b7d7609cc6434aea99372aaa39

SHA512
3f05056bdec2e72f1342f45639c5a89aa175a3a4fdb8494dda31b346faf970b10cc0ab322533514d8f5b591e051a2a35595b0448918e25dbbc6cf02854276b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f1491a96eb002269d30384852baf96e7

SHA1
95e5037b97129440dcb00660baa2efc67f5216e0

SHA256
82129d6fe49f819b8cdf3d9a50c56fa9b778f9bda754616dc87090970264ca4b

SHA512
ccf827ae16538c316cbbf0c0222b2328c77ff45b29291f8d74a13920a4959bc9403686e638b1e43ed3d79bc85fb72271a0a9f47282b4e771f30e8b46c9405142

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bc113211a3e72478c93989952aee3251

SHA1
5eeb2f2e4642ef5f147dd118742ea3c3dcf0cd16

SHA256
c6059355503eca5b35ac8446442eb5031ab610b7353cd2e8a3cf07dc99469fae

SHA512
c0748cc3a4b701f5cefeeaf9ac1bdbae28cfcf1dad8e89a2db2c756b908011ee8e945b6d02bef816763fc5acc38a72657316f5cd56c62342c8e779a50f4f4460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8d9b95fdab142bb52f794b152e9b8230

SHA1
badb1d4568eb62dca12181d0c7fb093779c9a4de

SHA256
b2b0ff5c6f0f0bbe286910bc2424d7b747fce3b7d7609cc6434aea99372aaa39

SHA512
3f05056bdec2e72f1342f45639c5a89aa175a3a4fdb8494dda31b346faf970b10cc0ab322533514d8f5b591e051a2a35595b0448918e25dbbc6cf02854276b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8d9b95fdab142bb52f794b152e9b8230

SHA1
badb1d4568eb62dca12181d0c7fb093779c9a4de

SHA256
b2b0ff5c6f0f0bbe286910bc2424d7b747fce3b7d7609cc6434aea99372aaa39

SHA512
3f05056bdec2e72f1342f45639c5a89aa175a3a4fdb8494dda31b346faf970b10cc0ab322533514d8f5b591e051a2a35595b0448918e25dbbc6cf02854276b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b740f7616c3c3d006afd7e1586758eeb

SHA1
c465af4c07ecb9e3de239c410d3b2ed5de93cdde

SHA256
c11b84252afa74e4f323fcbae853cb45217a65d70ac44dea182f9ec872bd9872

SHA512
d4dd7531d48a9f6d6432fe0d55cefc76139566c54514ba722d76e5bd4371bfca0e491939795883de21901eac98b1af7236ea83281a7dde8befe16719993f185e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b740f7616c3c3d006afd7e1586758eeb

SHA1
c465af4c07ecb9e3de239c410d3b2ed5de93cdde

SHA256
c11b84252afa74e4f323fcbae853cb45217a65d70ac44dea182f9ec872bd9872

SHA512
d4dd7531d48a9f6d6432fe0d55cefc76139566c54514ba722d76e5bd4371bfca0e491939795883de21901eac98b1af7236ea83281a7dde8befe16719993f185e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b740f7616c3c3d006afd7e1586758eeb

SHA1
c465af4c07ecb9e3de239c410d3b2ed5de93cdde

SHA256
c11b84252afa74e4f323fcbae853cb45217a65d70ac44dea182f9ec872bd9872

SHA512
d4dd7531d48a9f6d6432fe0d55cefc76139566c54514ba722d76e5bd4371bfca0e491939795883de21901eac98b1af7236ea83281a7dde8befe16719993f185e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b740f7616c3c3d006afd7e1586758eeb

SHA1
c465af4c07ecb9e3de239c410d3b2ed5de93cdde

SHA256
c11b84252afa74e4f323fcbae853cb45217a65d70ac44dea182f9ec872bd9872

SHA512
d4dd7531d48a9f6d6432fe0d55cefc76139566c54514ba722d76e5bd4371bfca0e491939795883de21901eac98b1af7236ea83281a7dde8befe16719993f185e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b740f7616c3c3d006afd7e1586758eeb

SHA1
c465af4c07ecb9e3de239c410d3b2ed5de93cdde

SHA256
c11b84252afa74e4f323fcbae853cb45217a65d70ac44dea182f9ec872bd9872

SHA512
d4dd7531d48a9f6d6432fe0d55cefc76139566c54514ba722d76e5bd4371bfca0e491939795883de21901eac98b1af7236ea83281a7dde8befe16719993f185e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
27b2c5bc810c36d27db00baafffc6664

SHA1
1a67af75c46228e63544497df54bbe394fd7e356

SHA256
b223eb75c7c63fec3945a7bd6f1c68e051c1608248c235aa182f1d6078f41153

SHA512
56d91daa6a31537bfd11fdb91636e4cd2d57d0607ea5bf72ba02affba86f15aaae3a96fc9405c5208e91b277e32c11249fe14d066e64eadd292fdc00225c2b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\0x9T38u1li.bat

Filesize
195B

MD5
faabb7e1b85e1b1a392c216be81d38f5

SHA1
fc200e068f68953b2b2de1d3c5595027e9f78490

SHA256
6c9b2761593ffd6526401960a3caf9584ce26b2f0d913cc2d8666442e7cd92aa

SHA512
d0c21b00dddadf74e4856dabd3053a0a34fafb8e83d31dbb4ee154189ffc339267c18b6f893e8577372cbc8402aa982060f98ace91ab9561a1bbcf301bd075f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PeSwWR6joe.bat

Filesize
195B

MD5
5c1d053b765bd43eba9258925bc1339e

SHA1
a7d8adb7584ce9d36d8bf5730d7f02c323e1831d

SHA256
1771fd0c1405f811f52237795cc3ac410d21ca186778071590a0beac662a36bb

SHA512
293208b89aca3cd7293169b43378623f2dc89c11cb2a04a66419ccb82f6b97c46533404b09186248900b4bc2dbb7d46b5287a3a5661d7ad2a06e327ef4f94041

Download Submit
C:\Users\Admin\AppData\Local\Temp\QVLs15dYuc.bat

Filesize
195B

MD5
51538b9fb1041353c54e4ea2d3c6ece6

SHA1
4a6ed4ede9116ce274ed2e4b14ce8c2e88f498b4

SHA256
41f98b1b8c4c9d574a8c285a8f24fe2d03985e489a1ac1829e786147912964b9

SHA512
ef9f09e7af56213a02813da2ae83c838e625115844a088c479db8876a531653c4a0dd3b8e08c1227c03b4f42af6cd56fd97e526eb6f78fa33cc18d3739dfcae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaUzDWAd8R.bat

Filesize
195B

MD5
957368634874d2d745430771aeee43eb

SHA1
f7c0643eae61f3f4d5ce8a632b8f877bca914c3b

SHA256
f05a026b76b8bd97bc9fa52c52557be15cd73c169dfbaa5c30b083643f9b00af

SHA512
45386da6556c2b27dd959201c7784bc0f3ce4d3af28201ddb8946b65a62c1181305bd547ba18fc55a398d9ed2a500cac6189148088c3a0d65204a5bf2de8b209

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMOyPGkKXB.bat

Filesize
195B

MD5
5366460b4e678fa99b74951a871efbb8

SHA1
e9ca250e56627c4c568b29cc74b6ef9afc3dc49b

SHA256
6444fc772c70cd2d7b5647781fb614c2eb7f2a9415712ff7e097458c584380b5

SHA512
73fb877b518f24b2fb7fac5e8e7e48a4ba0eb6d75485210cd90ccb20a8c8365b5857412e239383e0ee1c859f4171088c735581e390409556358a09bc941f9562

Download Submit
C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat

Filesize
195B

MD5
390f350d87933c3b7f0cd87dfc509b90

SHA1
266990ed8deb074dd06c78e2d507be45b82d3a2a

SHA256
bdaf5c1ab605c132d507182073804dbe300fae5bed916c0af10c1cb7a38fe273

SHA512
1b71056613e81463a356505004714fd5e991a604d2c2900955a585fe6da3e3dc48a98a7ba4c15128189eb9c3db09a4cdf20991dbb5452036df02c26fa95ae3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\kFkE7A6RC8.bat

Filesize
199B

MD5
83894c55bd9ef32d2cfb89cbe9fbe649

SHA1
5e6b5540ef3e549b30e209cb28670c2dd639ade1

SHA256
e2b581b6a8f7fb6f176593c127974fca73e97ce8cb0baa2c7c40b313cf218c77

SHA512
661380566e22c1af07c43d23706b72f784c5328145421c3cc1321f41edfa1c79728e3453ebad3db0cc752ab819a4825cd19deb9995761953276a8387490175f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat

Filesize
195B

MD5
4ef6061bc4de5f3bc25fee823121d596

SHA1
e5db030fdcd529a1819ced15a81172cc80b3c126

SHA256
f382cd26001f105adef8065f72c8e97d76a9c223d19012315aa5f089f3fa9de2

SHA512
674e707bdfb3a45e82013422b52ad2aa4716fd6819b649059438c3f9d66e45a7b4d900e837ef172c8c3d2bf1bb44fd372c128b28bf6c8f61f95c3a099352b7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat

Filesize
195B

MD5
098f6cfa335974a7b44887678c615d41

SHA1
373fe4e12a29e8230fc22713682d6332c620cc8e

SHA256
c7796f4b359b02db5e1d1ab27d3930f7044a97f897aaf389b5cc5fd1265dd6de

SHA512
82860344552b98e6a13b46f659c2143309498f27b04dbbba5712d99f3b00df3c0c8f224775c3dc1256840bc85b792867d7133b7ce495a1cb8e38b871857b976b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zub855hI4s.bat

Filesize
195B

MD5
a3a914b71ff3720411beecb1bfaf3ac8

SHA1
6fa9771a54d943c038f730f7d52df3d654e8f2ed

SHA256
626dcc7d2f384484d4733f307adfc3833ebd78b336019a00c9d620276a429b1f

SHA512
2d74d22acf43a4c972071552f68ba2bbae18f44bb9afdb6bbca9afab195babdd2fb3c0b42d4c57b421cfa134c2636e554cfe66aafcfe6cfd49fc78aa91fd7c3d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/344-209-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/344-191-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/692-270-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/692-274-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/1344-184-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1344-203-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1468-196-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1468-223-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1644-205-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1644-228-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1824-284-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/1824-288-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/1960-220-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1960-189-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2008-295-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/2008-291-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/2064-211-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2064-187-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2148-207-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2148-237-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2200-235-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2200-197-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2232-234-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2232-199-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2372-256-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/2372-260-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/2408-151-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2408-233-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2408-198-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2408-161-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3016-281-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/3016-277-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/3160-206-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3160-227-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3248-165-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3248-253-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/3248-154-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3248-249-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/3540-148-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3540-139-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/3540-140-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3744-153-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3744-164-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3944-169-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3944-193-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4304-226-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4304-192-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4384-204-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4384-225-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4396-202-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4396-222-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4416-158-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4416-147-0x0000028B6F520000-0x0000028B6F542000-memory.dmp

Filesize
136KB

Download
memory/4416-152-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4452-241-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/4452-245-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/4672-229-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4672-194-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4808-219-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4808-188-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4976-162-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4976-155-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/5088-263-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download
memory/5088-267-0x00007FFCC3EF0000-0x00007FFCC49B1000-memory.dmp

Filesize
10.8MB

Download