dcrat | b82f23ee8617e7ad47d7513fe175e7211564eed5442002927a415d7a035da5cf

Resubmissions

26-12-2022 00:04

221226-acrmcafe2y 10

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:02

26-12-2022 00:01

Analysis

max time kernel
149s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
26-12-2022 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe
Size

1.3MB
MD5

e1e945f04fbbeab2efa06d16d21e4c22
SHA1

54037b5b03272d255ab875b5791f87902c5b9457
SHA256

0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69
SHA512

61dfbe4d1803ba11f7318b1338343529be925bd84ba107bccb9d7c3f8175a012ea877a613946419f8486cd1c1606d7433c07342278a8c670a5013e999308ae41
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	2248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2248	schtasks.exe

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4896-282-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe	dcrat
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe	dcrat

Executes dropped EXE 12 IoCs

Processes:

DllCommonsvc.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exe

pid	process
4896	DllCommonsvc.exe
3432	ShellExperienceHost.exe
5676	ShellExperienceHost.exe
5856	ShellExperienceHost.exe
6036	ShellExperienceHost.exe
1360	ShellExperienceHost.exe
5520	ShellExperienceHost.exe
2920	ShellExperienceHost.exe
4812	ShellExperienceHost.exe
2736	ShellExperienceHost.exe
3704	ShellExperienceHost.exe
5592	ShellExperienceHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 17 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\hrtfs\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\fr-FR\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Services\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\f8c8f1285d826b	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\fr-FR\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Services\f8c8f1285d826b	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\System\Speech\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\SystemResources\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ehome-tvratings_31bf3856ad364e35_10.0.15063.0_none_3efb11314732f41c\sihost.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Ease of Access Themes\sihost.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Ease of Access Themes\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\cc11b995f2a76d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
748	schtasks.exe
412	schtasks.exe
4996	schtasks.exe
3032	schtasks.exe
1864	schtasks.exe
4464	schtasks.exe
3984	schtasks.exe
2308	schtasks.exe
680	schtasks.exe
4236	schtasks.exe
4516	schtasks.exe
4848	schtasks.exe
4212	schtasks.exe
476	schtasks.exe
1776	schtasks.exe
1572	schtasks.exe
2256	schtasks.exe
4332	schtasks.exe
4420	schtasks.exe
4472	schtasks.exe
4448	schtasks.exe
4836	schtasks.exe
3728	schtasks.exe
3192	schtasks.exe
2792	schtasks.exe
2268	schtasks.exe
4396	schtasks.exe
872	schtasks.exe
3348	schtasks.exe
208	schtasks.exe
32	schtasks.exe
4904	schtasks.exe
416	schtasks.exe
1604	schtasks.exe
1340	schtasks.exe
4604	schtasks.exe
816	schtasks.exe
904	schtasks.exe
516	schtasks.exe
4256	schtasks.exe
4240	schtasks.exe
3176	schtasks.exe
4492	schtasks.exe
4620	schtasks.exe
5012	schtasks.exe
5016	schtasks.exe
4480	schtasks.exe
1292	schtasks.exe

Modifies registry class 12 IoCs

Processes:

0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeDllCommonsvc.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exeShellExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	ShellExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4896	DllCommonsvc.exe
4896	DllCommonsvc.exe
4896	DllCommonsvc.exe
4896	DllCommonsvc.exe
4896	DllCommonsvc.exe
4896	DllCommonsvc.exe
4896	DllCommonsvc.exe
4896	DllCommonsvc.exe
4896	DllCommonsvc.exe
4896	DllCommonsvc.exe
4896	DllCommonsvc.exe
4896	DllCommonsvc.exe
4896	DllCommonsvc.exe
4896	DllCommonsvc.exe
4896	DllCommonsvc.exe
4896	DllCommonsvc.exe
1944	powershell.exe
1944	powershell.exe
508	powershell.exe
508	powershell.exe
2456	powershell.exe
2456	powershell.exe
508	powershell.exe
1944	powershell.exe
2456	powershell.exe
508	powershell.exe
2456	powershell.exe
2508	powershell.exe
2508	powershell.exe
1944	powershell.exe
3796	powershell.exe
3796	powershell.exe
2300	powershell.exe
2300	powershell.exe
2732	powershell.exe
2732	powershell.exe
4656	powershell.exe
4656	powershell.exe
2508	powershell.exe
4680	powershell.exe
4680	powershell.exe
4408	powershell.exe
4408	powershell.exe
3796	powershell.exe
4716	powershell.exe
4716	powershell.exe
2764	powershell.exe
2764	powershell.exe
5104	powershell.exe
5104	powershell.exe
4644	powershell.exe
4644	powershell.exe
2300	powershell.exe
1568	powershell.exe
1568	powershell.exe
4768	powershell.exe
4768	powershell.exe
1468	powershell.exe
1468	powershell.exe
2732	powershell.exe
2508	powershell.exe
3796	powershell.exe
4656	powershell.exe
4680	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4896	DllCommonsvc.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	508	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeIncreaseQuotaPrivilege	508	powershell.exe
Token: SeSecurityPrivilege	508	powershell.exe
Token: SeTakeOwnershipPrivilege	508	powershell.exe
Token: SeLoadDriverPrivilege	508	powershell.exe
Token: SeSystemProfilePrivilege	508	powershell.exe
Token: SeSystemtimePrivilege	508	powershell.exe
Token: SeProfSingleProcessPrivilege	508	powershell.exe
Token: SeIncBasePriorityPrivilege	508	powershell.exe
Token: SeCreatePagefilePrivilege	508	powershell.exe
Token: SeBackupPrivilege	508	powershell.exe
Token: SeRestorePrivilege	508	powershell.exe
Token: SeShutdownPrivilege	508	powershell.exe
Token: SeDebugPrivilege	508	powershell.exe
Token: SeSystemEnvironmentPrivilege	508	powershell.exe
Token: SeRemoteShutdownPrivilege	508	powershell.exe
Token: SeUndockPrivilege	508	powershell.exe
Token: SeManageVolumePrivilege	508	powershell.exe
Token: 33	508	powershell.exe
Token: 34	508	powershell.exe
Token: 35	508	powershell.exe
Token: 36	508	powershell.exe
Token: SeIncreaseQuotaPrivilege	2456	powershell.exe
Token: SeSecurityPrivilege	2456	powershell.exe
Token: SeTakeOwnershipPrivilege	2456	powershell.exe
Token: SeLoadDriverPrivilege	2456	powershell.exe
Token: SeSystemProfilePrivilege	2456	powershell.exe
Token: SeSystemtimePrivilege	2456	powershell.exe
Token: SeProfSingleProcessPrivilege	2456	powershell.exe
Token: SeIncBasePriorityPrivilege	2456	powershell.exe
Token: SeCreatePagefilePrivilege	2456	powershell.exe
Token: SeBackupPrivilege	2456	powershell.exe
Token: SeRestorePrivilege	2456	powershell.exe
Token: SeShutdownPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeSystemEnvironmentPrivilege	2456	powershell.exe
Token: SeRemoteShutdownPrivilege	2456	powershell.exe
Token: SeUndockPrivilege	2456	powershell.exe
Token: SeManageVolumePrivilege	2456	powershell.exe
Token: 33	2456	powershell.exe
Token: 34	2456	powershell.exe
Token: 35	2456	powershell.exe
Token: 36	2456	powershell.exe
Token: SeIncreaseQuotaPrivilege	1944	powershell.exe
Token: SeSecurityPrivilege	1944	powershell.exe
Token: SeTakeOwnershipPrivilege	1944	powershell.exe
Token: SeLoadDriverPrivilege	1944	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exeWScript.execmd.exeDllCommonsvc.execmd.exeShellExperienceHost.execmd.exeShellExperienceHost.execmd.exeShellExperienceHost.execmd.exe

description	pid	process	target process
PID 2692 wrote to memory of 4800	2692	0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe	WScript.exe
PID 2692 wrote to memory of 4800	2692	0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe	WScript.exe
PID 2692 wrote to memory of 4800	2692	0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe	WScript.exe
PID 4800 wrote to memory of 3540	4800	WScript.exe	cmd.exe
PID 4800 wrote to memory of 3540	4800	WScript.exe	cmd.exe
PID 4800 wrote to memory of 3540	4800	WScript.exe	cmd.exe
PID 3540 wrote to memory of 4896	3540	cmd.exe	DllCommonsvc.exe
PID 3540 wrote to memory of 4896	3540	cmd.exe	DllCommonsvc.exe
PID 4896 wrote to memory of 508	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 508	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 1944	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 1944	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 2456	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 2456	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 2508	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 2508	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 2300	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 2300	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 3796	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 3796	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 2732	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 2732	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 4656	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 4656	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 4680	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 4680	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 4408	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 4408	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 4716	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 4716	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 2764	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 2764	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 5104	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 5104	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 4644	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 4644	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 1568	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 1568	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 4768	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 4768	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 1468	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 1468	4896	DllCommonsvc.exe	powershell.exe
PID 4896 wrote to memory of 4612	4896	DllCommonsvc.exe	cmd.exe
PID 4896 wrote to memory of 4612	4896	DllCommonsvc.exe	cmd.exe
PID 4612 wrote to memory of 1604	4612	cmd.exe	w32tm.exe
PID 4612 wrote to memory of 1604	4612	cmd.exe	w32tm.exe
PID 4612 wrote to memory of 3432	4612	cmd.exe	ShellExperienceHost.exe
PID 4612 wrote to memory of 3432	4612	cmd.exe	ShellExperienceHost.exe
PID 3432 wrote to memory of 1368	3432	ShellExperienceHost.exe	cmd.exe
PID 3432 wrote to memory of 1368	3432	ShellExperienceHost.exe	cmd.exe
PID 1368 wrote to memory of 588	1368	cmd.exe	w32tm.exe
PID 1368 wrote to memory of 588	1368	cmd.exe	w32tm.exe
PID 1368 wrote to memory of 5676	1368	cmd.exe	ShellExperienceHost.exe
PID 1368 wrote to memory of 5676	1368	cmd.exe	ShellExperienceHost.exe
PID 5676 wrote to memory of 5780	5676	ShellExperienceHost.exe	cmd.exe
PID 5676 wrote to memory of 5780	5676	ShellExperienceHost.exe	cmd.exe
PID 5780 wrote to memory of 5836	5780	cmd.exe	w32tm.exe
PID 5780 wrote to memory of 5836	5780	cmd.exe	w32tm.exe
PID 5780 wrote to memory of 5856	5780	cmd.exe	ShellExperienceHost.exe
PID 5780 wrote to memory of 5856	5780	cmd.exe	ShellExperienceHost.exe
PID 5856 wrote to memory of 5960	5856	ShellExperienceHost.exe	cmd.exe
PID 5856 wrote to memory of 5960	5856	ShellExperienceHost.exe	cmd.exe
PID 5960 wrote to memory of 6016	5960	cmd.exe	w32tm.exe
PID 5960 wrote to memory of 6016	5960	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe
"C:\Users\Admin\AppData\Local\Temp\0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\Idle.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Ease of Access Themes\sihost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\taskhostw.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\winlogon.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\ShellExperienceHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i4qrOa5syd.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:1604

C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe"
6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:588

C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe"
8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:5780

C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe"
10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"
11⤵
- Suspicious use of WriteProcessMemory
PID:5960

C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe"
12⤵
- Executes dropped EXE
- Modifies registry class
PID:6036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"
13⤵
PID:6136

C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe"
14⤵
- Executes dropped EXE
- Modifies registry class
PID:1360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
15⤵
PID:5356

C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe"
16⤵
- Executes dropped EXE
- Modifies registry class
PID:5520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pdW26R6SPG.bat"
17⤵
PID:2172

C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe"
18⤵
- Executes dropped EXE
- Modifies registry class
PID:2920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat"
19⤵
PID:5148

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:5548

C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe"
20⤵
- Executes dropped EXE
- Modifies registry class
PID:4812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
21⤵
PID:2408

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:2508

C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe"
22⤵
- Executes dropped EXE
- Modifies registry class
PID:2736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"
23⤵
PID:1340

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
24⤵
PID:4996

C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe"
24⤵
- Executes dropped EXE
- Modifies registry class
PID:3704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"
25⤵
PID:200

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
26⤵
PID:4704

C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe"
26⤵
- Executes dropped EXE
PID:5592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Public\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\Resources\Ease of Access Themes\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Ease of Access Themes\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:5836

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:6016

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1604

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:5424

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ShellExperienceHost.exe.log
Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
232aeb7f1a55b6321f7ef81d894e99c8

SHA1
f4c0fc62cec8a5acaaf9cb8c4760d2db398539de

SHA256
2fc8cc956ef75843e57aa3b2163d78c89865f7651acee4d71100264a6a9ab5f3

SHA512
69d6966bdd91075309650fcd4aa8e584a21a4a43d0ed73666b53dff1f92651207abd6a0c0558733836a15235df317efcfe25ad06c5c6f84a12aec6604bdb41af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
90190c17bf522eafe8c0b034939743a4

SHA1
1d740c3007bc61afe994537e565a5b7f59505153

SHA256
87fd55326a1b3de9cdcfc98ee622122a8684634aa6854c9d08dce848701352de

SHA512
bf99b81f2eb0faebd1a7e4b883a93f97ccb47922342be864b7df91a2904cac76fef2edbabb9857735cc0d696f1faeab44a4a09d87f140604f6636a35f1a5c36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c09c261a5d43b7696036df8e846f0cca

SHA1
537aa50dd7a6998eb6836d24a8ef975d5eed612a

SHA256
b1489f1330089c696c154d2d5528cacec0302a0169a437262d938d0d3316b932

SHA512
684d657cec6a29f64cc3e5ef92c8b26d80afd46a5bad14528443d807b65ac23404a4f07b63635b19279acc2f1491037fc6ead0c107bbbf7a6a26494c8d953bd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f044966a6c3e6c2cd473234c1d110091

SHA1
6cee7154ac3c6c3cd6d9a47ecede40b5fe4d4548

SHA256
3619bb472152510befd1ba7e4c10dd77ff2481bef66876e343fb22760f23776f

SHA512
db83a7323f5af6e190dcdd4eb5094cf7799b83bfa3d0c6f8e1877c12bcd6f50a32082037ed44ecd10e9fa66dfbaa73491f7332ab65274ffa8e289c390e26ace2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ec7497c679a611e9dbbe84b5d2d23f8b

SHA1
3c4623d456cc9581bdba17b036693ddc24cc808d

SHA256
32d285c4f8a74462f6f25cccfa446f4b31a40a2abbf39cc372d60b202eaf4713

SHA512
59f27ed9fbe8fad776f56e352f5cd7ee317e5a7319e4fc066742d96e40afbc12bd26ad81af79ce8b8dc1ee89e830c53c3677c08908d77888ed74d60fc80fe5b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b4ab82b36ec97bcffdcd2d881a12d1ee

SHA1
706c06fb43163574d23e03b7f39b422228df64b1

SHA256
b7e53ff4fe6a0364216f4b9822f678c6f1b3e50799ed84638fc885dd1f96a115

SHA512
16de770f21669dd9bd006c8305c908c9d605013e8382a936476d7201172d075fcb1b4a29a1cb48557dc536244aef12379e45e6d066398a0555ee7e76236a213b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6139ac31e876a3ba639d66f4a536d4c0

SHA1
23c2fcd0b660fc7413a91e73ba0a97dc0d355b35

SHA256
4190728e234a796dbaaf35ee0c04af729bde023acc4616fe32e8673b0154efa6

SHA512
7184643a7356b122de992891c6b85be48f1497db7a24c104c820e9f50b6dd5ce0d14145cde11a784741b614b45f8d338630152ea1a36e75792ad3393f25c05f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b0d7bbf12bc2ff90c75440ebaad646a4

SHA1
855067efe4b9d5264dff148f2be42696320db823

SHA256
f5cf106cf33a0306b8263664b8dbe80f12dbf0a24a35001570dfedf8a985c300

SHA512
f401e4805b2062ec473006392bdc489eb20e342b9cfc7993c913cf4346b3d0b20b106fa04601075e2ad3504176d8969aa96f3e2f1a055fc68ed597e9e916187e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b0d7bbf12bc2ff90c75440ebaad646a4

SHA1
855067efe4b9d5264dff148f2be42696320db823

SHA256
f5cf106cf33a0306b8263664b8dbe80f12dbf0a24a35001570dfedf8a985c300

SHA512
f401e4805b2062ec473006392bdc489eb20e342b9cfc7993c913cf4346b3d0b20b106fa04601075e2ad3504176d8969aa96f3e2f1a055fc68ed597e9e916187e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
250c48ecce2662d02af64fba02409121

SHA1
ccd5b801df3d75c175269971186530a530bc4775

SHA256
0c5dbf856728ea6e03f67eac96bec8501c8110c999ad1c113a248c0a4197d9d8

SHA512
bc9d7fc71b38cbe269cb14cb2bcab7270c8d915737b7c6c9de04e624fdaa1ea86f794a5e87ae4b3362bf50e9705d1702176452d084435c4af9d22499783987ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5b41f7968e7d4ecf3779dcc6cfe39636

SHA1
16a39dee0dc35914c1c1da6e6cc55be2ae5b4500

SHA256
833fed1eff4c672e0759b60b58b1c40c3cb7dcb277c766b87d4a7c158cf8a218

SHA512
6cc0bbfae0e01e60888438a3ff954d6ef9abfa183c713a390368b727f73a2e393d13ec1f6db8c7be3f15a34b6c783ed778aebdbc97322c64f34bdbf72c039306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5b41f7968e7d4ecf3779dcc6cfe39636

SHA1
16a39dee0dc35914c1c1da6e6cc55be2ae5b4500

SHA256
833fed1eff4c672e0759b60b58b1c40c3cb7dcb277c766b87d4a7c158cf8a218

SHA512
6cc0bbfae0e01e60888438a3ff954d6ef9abfa183c713a390368b727f73a2e393d13ec1f6db8c7be3f15a34b6c783ed778aebdbc97322c64f34bdbf72c039306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
624c6d7fa86bb5e44ce056534bc95e33

SHA1
accf5ef80c4c70c41fb8f0bae161723b461da103

SHA256
eee5da4a238e05fe87d0ea4323fe0124ae5f63ba97e97f0308893b1dab34a91b

SHA512
a7339bb051deb4c0f87fffb16b296aac58806037d99f5080b79202099e510bbc00a124ee7f05b99bcc18dac8d9082f3b54b79ba5f33719ccd61b9b36fe70f9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat
Filesize
240B

MD5
504559cd9a6494d9f9ca5ff08ad3b634

SHA1
d07539f8b2b679c64261ab51ac1fa09fe4bc9410

SHA256
7af168290e5e11fc254da40ea81545333053c9c79f8b7bcc2892da4ab81c2610

SHA512
a04051123d32d386bddc72f61ee65e919d223b9f6beae275c9c35e46af81378f9db328037c244ca31f53a0937134d1808e7c22b08a3972d602b0a57293bcf0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat
Filesize
240B

MD5
c2ea62c7f2395dcdc0ce918fc73a308d

SHA1
83b3bc3277fde4645b793fd7de819ae25d056a1e

SHA256
0e6c47c3911a33cee3218ee5a67a4b3dc7ed5791911fce2a197f8197d49986d8

SHA512
efaac251b2e9ef35f4f16803da87901e7e9e6665d4f4b47bb07eac4265aa4684edac0708d8ab56419bf9e2ee822af6ec18aba4cea9e2fa8b29d07c4e22514a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat
Filesize
240B

MD5
92b95ce20840b858c3dfb9eb8c756690

SHA1
d04e423b6960e65f176a86ddcb101f9cd30a7d3d

SHA256
23558bf581dcb6185c1db0e6d9631e194dd5fe9144ad4e93ad3bca2b109de7d2

SHA512
ff847f9412da26455c37adc04c3e854af151737740461c3350b684dc231d236b130e46265514e21c5a670899083756de6d05b882f8fe155d61155008c1040bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat
Filesize
240B

MD5
e6baac648eaa2b1e899a7abdfcf5b087

SHA1
9b6fbd5e890fadc38c475a53f3ff9678b78e915c

SHA256
982196005e96d98be7b812a0cb7f6c180a2a7c1249b13916d56e7522cca20bbf

SHA512
f8181608a71ce94059f1c7ea1a5ab83fcd8b39d77b7608b370db063087b859c805c57500e0c9bb663da26e02d86bf2522cf9a738897ac4df1199c9ecf25ab720

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat
Filesize
240B

MD5
1e425b269a0399239ff227047cbf9198

SHA1
e05c3678f6eeaa5e2e86fe7703629fc7d398b42c

SHA256
9e67471b4b8e94523f60e2ea7ead883ac3ab3d785447a110a118cbef3148085c

SHA512
3e0bd7c2de22552c4d36d0002676e642ae4cca16062f5ed36bd6d761b51dc9a3d54f24d3947d581edad956d99cd5288d4ab2b331f4184afd84d218a3181182b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat
Filesize
240B

MD5
ebc05fe9f2812a5d63fcd981cd62601b

SHA1
dcbd88aa62c9ac9274853645da335cea79966efb

SHA256
7902cb416923860375a12d6108d6dd91b664a26e9bd2eaf90d6663b1d1763bbe

SHA512
4dec3efb1dd2b2e7eb8befc9d5cd6ed0296d49d752f7b330d0ccac661d7e624123c1e62eb001d5b91c82e4832eaed8c407cad7be65eb92d72080c700c253bcea

Download Submit
C:\Users\Admin\AppData\Local\Temp\i4qrOa5syd.bat
Filesize
240B

MD5
1e0b747928cd2a8a2a5516944a808e76

SHA1
8145d3aa093fcdc802bda328b5bb53f019938008

SHA256
13e9b5996db3ab2a4c269868ed5e4b398ddcc289e778c47edf08110456358a7e

SHA512
93ae8ce33ad350a2a7245d7691831b5e09d896d7a5fd676b469765923db6bd7b7eaeaea92aa89812f4e9813eeec197ad17183933d47de1530e628acf8409e3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat
Filesize
240B

MD5
09e539cf730191243f2199fb123de32e

SHA1
a26ab86da51e77780657e2a050e280c9f2c2a10c

SHA256
6bfd172a7fd23d641cf6bb311b71c2875266a5692193f8f166f79bcc71fccafd

SHA512
b89d121834f47e45044b3e661dd83bc0c481635763363692cd5b3ddc9819ba20841424f9a482e7a079b6485bcba4d8222490e2e1d20cdcff693d411c2ba4f30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat
Filesize
240B

MD5
9bcfdeef6be2069b619dba91ff0acccd

SHA1
44ea0f7fdd65fed62b618cfa7ad3107a4cff87a8

SHA256
671d9c0051507dce852c4ee7e39be97974295b223a9554facdf41aa7abf95e38

SHA512
1576f6ec2bbe25c73b41b31b511c5368606246ea294155cc3439e7872f61e84f8f27b77bb19401af00c4280c5d826932c52ca5b06d7a07b41d0dda71d2ea7db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdW26R6SPG.bat
Filesize
240B

MD5
f8842ffa5fd1f9c289d46cb50e4e19b7

SHA1
2a24a8a88d00e26c620b6f7c10947e8fda36e6ed

SHA256
dcd2b439283629703e7d05c7a85a62b9770bb8cac6b4086c7fd9794995710cc1

SHA512
ebab4d21830055d26ad3182109c10d68cf0a7d4b9dd4e695a00e5a5334d8a8eb954808d3ce421fdb9e6e7b20fe354f872f000f841d8172b16d0ccf282e28eccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat
Filesize
240B

MD5
c9a5b147092bbb5b48c79d4b3e13d792

SHA1
3b44af0611454e1e2d2b5f10da148730fc5a6240

SHA256
11fefd235ebb71a347430d7db82e964925ea4514fa377ff00ba365718732b9bd

SHA512
b6696413cd28f6a27875a7b6c893b49e7aca89f39f6e7cd4f2aab1e6f548e74a6a96c30acd82444fd8218539d03ba50a5d34ac233dedb858f015187cc168b604

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/200-962-0x0000000000000000-mapping.dmp

Download
memory/508-381-0x0000017DD3180000-0x0000017DD31F6000-memory.dmp

Filesize
472KB

Download
memory/508-287-0x0000000000000000-mapping.dmp

Download
memory/508-367-0x0000017DBA3B0000-0x0000017DBA3D2000-memory.dmp

Filesize
136KB

Download
memory/588-855-0x0000000000000000-mapping.dmp

Download
memory/1340-957-0x0000000000000000-mapping.dmp

Download
memory/1360-932-0x0000000000000000-mapping.dmp

Download
memory/1360-934-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/1368-853-0x0000000000000000-mapping.dmp

Download
memory/1468-327-0x0000000000000000-mapping.dmp

Download
memory/1568-320-0x0000000000000000-mapping.dmp

Download
memory/1604-386-0x0000000000000000-mapping.dmp

Download
memory/1604-931-0x0000000000000000-mapping.dmp

Download
memory/1944-288-0x0000000000000000-mapping.dmp

Download
memory/2172-940-0x0000000000000000-mapping.dmp

Download
memory/2300-291-0x0000000000000000-mapping.dmp

Download
memory/2408-951-0x0000000000000000-mapping.dmp

Download
memory/2456-289-0x0000000000000000-mapping.dmp

Download
memory/2508-290-0x0000000000000000-mapping.dmp

Download
memory/2508-953-0x0000000000000000-mapping.dmp

Download
memory/2692-149-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-144-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-158-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-159-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-157-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-156-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-155-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-154-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-161-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-117-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-153-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-118-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-160-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-162-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-179-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-152-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-164-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-177-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-151-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-150-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-116-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-163-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-175-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-147-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-176-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-173-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-174-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-148-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-172-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-171-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-167-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-146-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-145-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-178-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-169-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-170-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-143-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-142-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-168-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-166-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-165-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-141-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-140-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-139-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-138-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-137-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-136-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-135-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-134-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-133-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-132-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-131-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-130-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-129-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-128-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-127-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-126-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-125-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-124-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-122-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-121-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-119-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-293-0x0000000000000000-mapping.dmp

Download
memory/2736-954-0x0000000000000000-mapping.dmp

Download
memory/2736-956-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/2764-305-0x0000000000000000-mapping.dmp

Download
memory/2920-943-0x0000000000000000-mapping.dmp

Download
memory/2920-945-0x0000000000C70000-0x0000000000C82000-memory.dmp

Filesize
72KB

Download
memory/3432-696-0x0000000001100000-0x0000000001112000-memory.dmp

Filesize
72KB

Download
memory/3432-644-0x0000000000000000-mapping.dmp

Download
memory/3536-942-0x0000000000000000-mapping.dmp

Download
memory/3540-256-0x0000000000000000-mapping.dmp

Download
memory/3704-960-0x0000000000000000-mapping.dmp

Download
memory/3796-292-0x0000000000000000-mapping.dmp

Download
memory/4408-299-0x0000000000000000-mapping.dmp

Download
memory/4612-375-0x0000000000000000-mapping.dmp

Download
memory/4644-314-0x0000000000000000-mapping.dmp

Download
memory/4656-294-0x0000000000000000-mapping.dmp

Download
memory/4680-297-0x0000000000000000-mapping.dmp

Download
memory/4704-964-0x0000000000000000-mapping.dmp

Download
memory/4716-303-0x0000000000000000-mapping.dmp

Download
memory/4768-324-0x0000000000000000-mapping.dmp

Download
memory/4800-180-0x0000000000000000-mapping.dmp

Download
memory/4800-182-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4800-181-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4812-949-0x0000000000000000-mapping.dmp

Download
memory/4896-284-0x0000000002370000-0x000000000237C000-memory.dmp

Filesize
48KB

Download
memory/4896-286-0x00000000023B0000-0x00000000023BC000-memory.dmp

Filesize
48KB

Download
memory/4896-282-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/4896-279-0x0000000000000000-mapping.dmp

Download
memory/4896-283-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/4896-285-0x0000000002390000-0x000000000239C000-memory.dmp

Filesize
48KB

Download
memory/4996-959-0x0000000000000000-mapping.dmp

Download
memory/5104-310-0x0000000000000000-mapping.dmp

Download
memory/5148-946-0x0000000000000000-mapping.dmp

Download
memory/5356-935-0x0000000000000000-mapping.dmp

Download
memory/5424-937-0x0000000000000000-mapping.dmp

Download
memory/5520-938-0x0000000000000000-mapping.dmp

Download
memory/5548-948-0x0000000000000000-mapping.dmp

Download
memory/5592-965-0x0000000000000000-mapping.dmp

Download
memory/5676-916-0x0000000000000000-mapping.dmp

Download
memory/5780-919-0x0000000000000000-mapping.dmp

Download
memory/5836-921-0x0000000000000000-mapping.dmp

Download
memory/5856-922-0x0000000000000000-mapping.dmp

Download
memory/5960-924-0x0000000000000000-mapping.dmp

Download
memory/6016-926-0x0000000000000000-mapping.dmp

Download
memory/6036-927-0x0000000000000000-mapping.dmp

Download
memory/6136-929-0x0000000000000000-mapping.dmp

Download