dcrat | 1717ab29b92afc8bb4714ed9f9c13cafc7a8052b0570a548620245690bbafe72

Analysis

max time kernel
155s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1717ab29b92afc8bb4714ed9f9c13cafc7a8052b0570a548620245690bbafe72.exe
Size

1.3MB
MD5

3c661423609311995178db0997a55e38
SHA1

1cc6814c89140d179092c0042cd325d0ffac790d
SHA256

1717ab29b92afc8bb4714ed9f9c13cafc7a8052b0570a548620245690bbafe72
SHA512

5f2603ad06a1e2e84eeb32c921eb6bfb487fca0a565aadd4dedaf6371016024e2582397eccdb8fcdc314006ef1690ffbf34e1cc871ce34f670645bfd3f08e577
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	3448	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	3448	schtasks.exe

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4060-139-0x0000000000750000-0x0000000000860000-memory.dmp	dcrat
C:\Recovery\WindowsRE\smss.exe	dcrat
C:\Recovery\WindowsRE\smss.exe	dcrat
C:\Recovery\WindowsRE\smss.exe	dcrat
C:\Recovery\WindowsRE\smss.exe	dcrat
C:\Recovery\WindowsRE\smss.exe	dcrat
C:\Recovery\WindowsRE\smss.exe	dcrat
C:\Recovery\WindowsRE\smss.exe	dcrat
C:\Recovery\WindowsRE\smss.exe	dcrat
C:\Recovery\WindowsRE\smss.exe	dcrat
C:\Recovery\WindowsRE\smss.exe	dcrat
C:\Recovery\WindowsRE\smss.exe	dcrat

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exe1717ab29b92afc8bb4714ed9f9c13cafc7a8052b0570a548620245690bbafe72.exeDllCommonsvc.exesmss.exesmss.exesmss.exesmss.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	1717ab29b92afc8bb4714ed9f9c13cafc7a8052b0570a548620245690bbafe72.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 11 IoCs

Processes:

DllCommonsvc.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid	process
4060	DllCommonsvc.exe
5600	smss.exe
2248	smss.exe
1596	smss.exe
5220	smss.exe
448	smss.exe
2888	smss.exe
4516	smss.exe
3868	smss.exe
1224	smss.exe
4512	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 12 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\56085415360792	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

Processes:

DllCommonsvc.exe

description ioc process

File created C:\Windows\LanguageOverlayCache\sppsvc.exe DllCommonsvc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\LanguageOverlayCache\sppsvc.exe	DllCommonsvc.exe

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
3188	schtasks.exe
2716	schtasks.exe
3564	schtasks.exe
380	schtasks.exe
2136	schtasks.exe
4772	schtasks.exe
2596	schtasks.exe
1100	schtasks.exe
608	schtasks.exe
1588	schtasks.exe
3796	schtasks.exe
1040	schtasks.exe
1968	schtasks.exe
5008	schtasks.exe
3928	schtasks.exe
1400	schtasks.exe
4188	schtasks.exe
2652	schtasks.exe
1900	schtasks.exe
3316	schtasks.exe
4372	schtasks.exe
3632	schtasks.exe
4084	schtasks.exe
4696	schtasks.exe
3136	schtasks.exe
2172	schtasks.exe
5048	schtasks.exe
4972	schtasks.exe
764	schtasks.exe
2720	schtasks.exe
1392	schtasks.exe
1224	schtasks.exe
3440	schtasks.exe
4312	schtasks.exe
3532	schtasks.exe
1472	schtasks.exe
1132	schtasks.exe
4296	schtasks.exe
2276	schtasks.exe
216	schtasks.exe
1256	schtasks.exe
1540	schtasks.exe
1184	schtasks.exe
2852	schtasks.exe
4960	schtasks.exe
3528	schtasks.exe
4336	schtasks.exe
212	schtasks.exe
4664	schtasks.exe
1912	schtasks.exe
3536	schtasks.exe
3648	schtasks.exe
2180	schtasks.exe
3584	schtasks.exe

Modifies registry class 11 IoCs

Processes:

smss.exesmss.exeDllCommonsvc.exesmss.exesmss.exesmss.exesmss.exe1717ab29b92afc8bb4714ed9f9c13cafc7a8052b0570a548620245690bbafe72.exesmss.exesmss.exesmss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	1717ab29b92afc8bb4714ed9f9c13cafc7a8052b0570a548620245690bbafe72.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	smss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4060	DllCommonsvc.exe
4060	DllCommonsvc.exe
4060	DllCommonsvc.exe
4060	DllCommonsvc.exe
4060	DllCommonsvc.exe
4060	DllCommonsvc.exe
4060	DllCommonsvc.exe
4060	DllCommonsvc.exe
4060	DllCommonsvc.exe
4060	DllCommonsvc.exe
4060	DllCommonsvc.exe
4060	DllCommonsvc.exe
4060	DllCommonsvc.exe
4060	DllCommonsvc.exe
4060	DllCommonsvc.exe
4060	DllCommonsvc.exe
4060	DllCommonsvc.exe
4060	DllCommonsvc.exe
4512	powershell.exe
2700	powershell.exe
2700	powershell.exe
3500	powershell.exe
3500	powershell.exe
688	powershell.exe
688	powershell.exe
3684	powershell.exe
3684	powershell.exe
4248	powershell.exe
4248	powershell.exe
3948	powershell.exe
3948	powershell.exe
5068	powershell.exe
5068	powershell.exe
992	powershell.exe
992	powershell.exe
5020	powershell.exe
5020	powershell.exe
3820	powershell.exe
3820	powershell.exe
3036	powershell.exe
3036	powershell.exe
1580	powershell.exe
4872	powershell.exe
1580	powershell.exe
4872	powershell.exe
1352	powershell.exe
1352	powershell.exe
1204	powershell.exe
1204	powershell.exe
4460	powershell.exe
4460	powershell.exe
4856	powershell.exe
4856	powershell.exe
1220	powershell.exe
1220	powershell.exe
4512	powershell.exe
4512	powershell.exe
3500	powershell.exe
3500	powershell.exe
2700	powershell.exe
2700	powershell.exe
3684	powershell.exe
3684	powershell.exe
688	powershell.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4060	DllCommonsvc.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	5600	smss.exe
Token: SeDebugPrivilege	2248	smss.exe
Token: SeDebugPrivilege	1596	smss.exe
Token: SeDebugPrivilege	5220	smss.exe
Token: SeDebugPrivilege	448	smss.exe
Token: SeDebugPrivilege	2888	smss.exe
Token: SeDebugPrivilege	4516	smss.exe
Token: SeDebugPrivilege	3868	smss.exe
Token: SeDebugPrivilege	1224	smss.exe
Token: SeDebugPrivilege	4512	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1717ab29b92afc8bb4714ed9f9c13cafc7a8052b0570a548620245690bbafe72.exeWScript.execmd.exeDllCommonsvc.execmd.exesmss.execmd.exesmss.execmd.exe

description	pid	process	target process
PID 800 wrote to memory of 2100	800	1717ab29b92afc8bb4714ed9f9c13cafc7a8052b0570a548620245690bbafe72.exe	WScript.exe
PID 800 wrote to memory of 2100	800	1717ab29b92afc8bb4714ed9f9c13cafc7a8052b0570a548620245690bbafe72.exe	WScript.exe
PID 800 wrote to memory of 2100	800	1717ab29b92afc8bb4714ed9f9c13cafc7a8052b0570a548620245690bbafe72.exe	WScript.exe
PID 2100 wrote to memory of 1108	2100	WScript.exe	cmd.exe
PID 2100 wrote to memory of 1108	2100	WScript.exe	cmd.exe
PID 2100 wrote to memory of 1108	2100	WScript.exe	cmd.exe
PID 1108 wrote to memory of 4060	1108	cmd.exe	DllCommonsvc.exe
PID 1108 wrote to memory of 4060	1108	cmd.exe	DllCommonsvc.exe
PID 4060 wrote to memory of 3684	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 3684	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 2700	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 2700	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 4512	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 4512	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 688	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 688	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 3500	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 3500	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 4248	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 4248	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 3948	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 3948	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 5068	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 5068	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 5020	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 5020	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 3820	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 3820	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 3036	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 3036	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 992	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 992	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 1580	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 1580	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 4872	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 4872	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 1204	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 1204	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 4460	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 4460	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 1352	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 1352	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 4856	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 4856	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 1220	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 1220	4060	DllCommonsvc.exe	powershell.exe
PID 4060 wrote to memory of 3136	4060	DllCommonsvc.exe	cmd.exe
PID 4060 wrote to memory of 3136	4060	DllCommonsvc.exe	cmd.exe
PID 3136 wrote to memory of 5164	3136	cmd.exe	w32tm.exe
PID 3136 wrote to memory of 5164	3136	cmd.exe	w32tm.exe
PID 3136 wrote to memory of 5600	3136	cmd.exe	smss.exe
PID 3136 wrote to memory of 5600	3136	cmd.exe	smss.exe
PID 5600 wrote to memory of 5888	5600	smss.exe	cmd.exe
PID 5600 wrote to memory of 5888	5600	smss.exe	cmd.exe
PID 5888 wrote to memory of 5972	5888	cmd.exe	w32tm.exe
PID 5888 wrote to memory of 5972	5888	cmd.exe	w32tm.exe
PID 5888 wrote to memory of 2248	5888	cmd.exe	smss.exe
PID 5888 wrote to memory of 2248	5888	cmd.exe	smss.exe
PID 2248 wrote to memory of 2116	2248	smss.exe	cmd.exe
PID 2248 wrote to memory of 2116	2248	smss.exe	cmd.exe
PID 2116 wrote to memory of 4868	2116	cmd.exe	w32tm.exe
PID 2116 wrote to memory of 4868	2116	cmd.exe	w32tm.exe
PID 2116 wrote to memory of 1596	2116	cmd.exe	smss.exe
PID 2116 wrote to memory of 1596	2116	cmd.exe	smss.exe

C:\Users\Admin\AppData\Local\Temp\1717ab29b92afc8bb4714ed9f9c13cafc7a8052b0570a548620245690bbafe72.exe
"C:\Users\Admin\AppData\Local\Temp\1717ab29b92afc8bb4714ed9f9c13cafc7a8052b0570a548620245690bbafe72.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\wininit.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\taskhostw.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Pictures\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SearchApp.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\cmd.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\OfficeClickToRun.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\wininit.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Idle.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\RuntimeBroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XLFBm3DSDq.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:5164

C:\Recovery\WindowsRE\smss.exe
"C:\Recovery\WindowsRE\smss.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:5888

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:5972

C:\Recovery\WindowsRE\smss.exe
"C:\Recovery\WindowsRE\smss.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:4868

C:\Recovery\WindowsRE\smss.exe
"C:\Recovery\WindowsRE\smss.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat"
11⤵
PID:5336

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:4772

C:\Recovery\WindowsRE\smss.exe
"C:\Recovery\WindowsRE\smss.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
13⤵
PID:5252

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:4244

C:\Recovery\WindowsRE\smss.exe
"C:\Recovery\WindowsRE\smss.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
15⤵
PID:112

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:4472

C:\Recovery\WindowsRE\smss.exe
"C:\Recovery\WindowsRE\smss.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"
17⤵
PID:3968

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:2348

C:\Recovery\WindowsRE\smss.exe
"C:\Recovery\WindowsRE\smss.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"
19⤵
PID:1776

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:4160

C:\Recovery\WindowsRE\smss.exe
"C:\Recovery\WindowsRE\smss.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat"
21⤵
PID:4864

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:612

C:\Recovery\WindowsRE\smss.exe
"C:\Recovery\WindowsRE\smss.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat"
23⤵
PID:4568

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
24⤵
PID:5244

C:\Recovery\WindowsRE\smss.exe
"C:\Recovery\WindowsRE\smss.exe"
24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\Music\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Desktop\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Local Settings\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Local Settings\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Music\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat

Filesize
195B

MD5
4e973185cacba9927ba4e9ac0d57a214

SHA1
607cf2435e324b844bfc94890fc1910131f15dc0

SHA256
9f12fad0b1764dea16e39a56f829ec799c6ab0443eb9fff4d9b157b4ebc2f2f4

SHA512
e8fee659b1c04e65b80e05ee0d998dae86ef4608203aef180b26963743c6466d09ff5a3fb2745d7d675b6f6f8810722bd217eca5aec4de6d62f131846ea37539

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat

Filesize
195B

MD5
b2e6f0e76f77d124d914d12527c1dd4f

SHA1
9adeb97b61740e862ba385e98a38f08b443c1125

SHA256
f240276749ce1dcc48c8313d608fc3cdaaaa4e42688ac8b2976590ec9acda8fc

SHA512
e52e0765fcd83ca629a1cba80c32a950069a1061abd052dc1e4c4aad0eb6c04580ba7928185d87657e145436c2837e0f1a927ff5b6c7449b5e3dbb7ced3610a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat

Filesize
195B

MD5
d6ff60448eacef6cb072429db9dce8c3

SHA1
1b85d03871ad4416ee9a9cff283d9673ad82d463

SHA256
15a1532af4320908f51722173b498e30cff19b998b000c79f5c8b80e977bd653

SHA512
0d203d6a86953f599d5e64954eaf8b6718bfeca585c608f76582f221e917f09eff1e1d7e2c0f488679284985eba4befac96e7c62bca2ee6fe996dbef5094847e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat

Filesize
195B

MD5
d91503241816e66a0d9ba9dbbe7d11e3

SHA1
32ab115240c5d478dd5a758c42b61c3d2b5573a0

SHA256
4d2dd14e03422729e1e95cea4c2b0d469f9fe10b208bfcbce7995961079ddaf0

SHA512
86fa80aaa9a049f424158d82368683b3e81de940f1c994b049bffcd125dbdda7dde5327346c624b9d5f8eb387838270f59cb16d8441195574d1763c243261ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat

Filesize
195B

MD5
8fca49a5dcb476c7fcfd016461be0d97

SHA1
f9532bded22a7c1b203cba59d910c01fba83d52b

SHA256
bce6ffd298b8412a0000680961212822f58c2ff32063c59f5e96f021caab9cb1

SHA512
6f7ebf1b010df8e02634ad2a64b393ba10c54347b5ea9e6416ac70d43fd2df541fb3c8ee3205097591d2a15095d70b3d670296720965cdd2307cd9169b1002f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat

Filesize
195B

MD5
b1ffa8d181d4266ed7169d23f2a95ea1

SHA1
4f80edef4d7b46b306690738d4cfb2ec45a98369

SHA256
6286647857806a384e15b824716899046a6098604f10029be27f31b519bb92c7

SHA512
0eb91dae749078466f8a84c8a054b599556552e1abe902fdd731b9a1b8cdf8a8ac7c1ba6e5ea497e8fdd4d3048649e15bd7fe96fe50f41834ddbf835995fe188

Download Submit
C:\Users\Admin\AppData\Local\Temp\XLFBm3DSDq.bat

Filesize
195B

MD5
f70d0ec838bcc8461897eec02f4432d7

SHA1
1bd5a8d0cbd33804a08a04a0919c0b5e0e1e19f5

SHA256
92fca2f4d82abd355d1cfc4baa2685935dbc5b0fab2434a6d9f8d37495a57cab

SHA512
4ab51b3e55a0ee4f08c004b8a460fa9bcc9872d5bed450959bac47d89f4cb625c48e7464d48748f07e44483b6a617f8643a64ede0aaec10395375b3402646097

Download Submit
C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

Filesize
195B

MD5
609da8cfc552cee442b9f72537227b15

SHA1
6b670316df396373faf8f11b01f4711bff418f85

SHA256
9bb59f39fddd240a18e70774939f70961871055a879373d1c4759f0a3bb882ab

SHA512
c0b0c131dd34dcd9f3b183b644cebe1d3d29a095717311d478b1d265230cd9dd448271b8c0e7024d58e519e3e06c26122f8eb3ef50f5f24899a8f0fd5de6c737

Download Submit
C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat

Filesize
195B

MD5
f837f6e6be7f4e1a1e9b0720c3780da8

SHA1
bf6f8a4e3deae1eea63362ac1af4764766cfa2d9

SHA256
5dc48a875f90eb1d4f8aa65166a130a484346eb7add975d375d2f35c58d070a3

SHA512
96f4185bb4d15c0506a60fc0769c92c9c313b953c5eacb720d85c9a791813cae79bd81dd193cfd1dde01375ba74571f793d0eb5702de4df5bdfa549eca4c47e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat

Filesize
195B

MD5
193500a531f8117b03bc3defe4baf7a1

SHA1
f469bef90999e76097b0b0592a9f34e349016428

SHA256
5d71595a7e77b0c59941fc3f79946a0fea7263da76767164492e094604cf1e0a

SHA512
e3ae9023def637f4f5a395632a435051816c010f25aed5d7a6707919b92641a3c8ecc13432b0ef9c8f28c4ff0376202655d3044dccb531329981bd76efde391e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/112-255-0x0000000000000000-mapping.dmp

Download
memory/448-252-0x0000000000000000-mapping.dmp

Download
memory/448-254-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/448-258-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/612-278-0x0000000000000000-mapping.dmp

Download
memory/688-164-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/688-144-0x0000000000000000-mapping.dmp

Download
memory/688-190-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/992-174-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/992-196-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/992-152-0x0000000000000000-mapping.dmp

Download
memory/1108-135-0x0000000000000000-mapping.dmp

Download
memory/1204-213-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/1204-179-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/1204-155-0x0000000000000000-mapping.dmp

Download
memory/1220-159-0x0000000000000000-mapping.dmp

Download
memory/1220-221-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/1220-182-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/1224-280-0x0000000000000000-mapping.dmp

Download
memory/1224-282-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp

Filesize
10.8MB

Download
memory/1224-286-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp

Filesize
10.8MB

Download
memory/1352-157-0x0000000000000000-mapping.dmp

Download
memory/1352-214-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/1352-181-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/1580-177-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/1580-153-0x0000000000000000-mapping.dmp

Download
memory/1580-212-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/1596-238-0x0000000000000000-mapping.dmp

Download
memory/1596-244-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/1596-240-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/1776-269-0x0000000000000000-mapping.dmp

Download
memory/2100-132-0x0000000000000000-mapping.dmp

Download
memory/2116-234-0x0000000000000000-mapping.dmp

Download
memory/2248-233-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/2248-230-0x0000000000000000-mapping.dmp

Download
memory/2248-237-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/2348-264-0x0000000000000000-mapping.dmp

Download
memory/2700-161-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/2700-142-0x0000000000000000-mapping.dmp

Download
memory/2700-192-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/2888-259-0x0000000000000000-mapping.dmp

Download
memory/2888-265-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/2888-261-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/3036-206-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/3036-176-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/3036-151-0x0000000000000000-mapping.dmp

Download
memory/3136-162-0x0000000000000000-mapping.dmp

Download
memory/3500-191-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/3500-145-0x0000000000000000-mapping.dmp

Download
memory/3500-166-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/3684-170-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/3684-141-0x0000000000000000-mapping.dmp

Download
memory/3684-193-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/3820-215-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/3820-173-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/3820-150-0x0000000000000000-mapping.dmp

Download
memory/3868-273-0x0000000000000000-mapping.dmp

Download
memory/3868-275-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp

Filesize
10.8MB

Download
memory/3868-279-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp

Filesize
10.8MB

Download
memory/3948-147-0x0000000000000000-mapping.dmp

Download
memory/3948-168-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/3948-201-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/3968-262-0x0000000000000000-mapping.dmp

Download
memory/4060-165-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/4060-140-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/4060-139-0x0000000000750000-0x0000000000860000-memory.dmp

Filesize
1.1MB

Download
memory/4060-136-0x0000000000000000-mapping.dmp

Download
memory/4160-271-0x0000000000000000-mapping.dmp

Download
memory/4244-250-0x0000000000000000-mapping.dmp

Download
memory/4248-167-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/4248-195-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/4248-146-0x0000000000000000-mapping.dmp

Download
memory/4460-219-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/4460-156-0x0000000000000000-mapping.dmp

Download
memory/4460-180-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/4472-257-0x0000000000000000-mapping.dmp

Download
memory/4512-287-0x0000000000000000-mapping.dmp

Download
memory/4512-163-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/4512-160-0x00000202CF680000-0x00000202CF6A2000-memory.dmp

Filesize
136KB

Download
memory/4512-183-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/4512-143-0x0000000000000000-mapping.dmp

Download
memory/4512-289-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp

Filesize
10.8MB

Download
memory/4516-268-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp

Filesize
10.8MB

Download
memory/4516-272-0x00007FFDCF4A0000-0x00007FFDCFF61000-memory.dmp

Filesize
10.8MB

Download
memory/4516-266-0x0000000000000000-mapping.dmp

Download
memory/4568-283-0x0000000000000000-mapping.dmp

Download
memory/4772-243-0x0000000000000000-mapping.dmp

Download
memory/4856-218-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/4856-158-0x0000000000000000-mapping.dmp

Download
memory/4856-202-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/4864-276-0x0000000000000000-mapping.dmp

Download
memory/4868-236-0x0000000000000000-mapping.dmp

Download
memory/4872-154-0x0000000000000000-mapping.dmp

Download
memory/4872-178-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/4872-209-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/5020-205-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/5020-149-0x0000000000000000-mapping.dmp

Download
memory/5020-172-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/5068-171-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/5068-148-0x0000000000000000-mapping.dmp

Download
memory/5068-199-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/5164-175-0x0000000000000000-mapping.dmp

Download
memory/5220-247-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/5220-251-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/5220-245-0x0000000000000000-mapping.dmp

Download
memory/5244-285-0x0000000000000000-mapping.dmp

Download
memory/5252-248-0x0000000000000000-mapping.dmp

Download
memory/5336-241-0x0000000000000000-mapping.dmp

Download
memory/5600-225-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/5600-222-0x0000000000000000-mapping.dmp

Download
memory/5600-229-0x00007FFDCF170000-0x00007FFDCFC31000-memory.dmp

Filesize
10.8MB

Download
memory/5888-226-0x0000000000000000-mapping.dmp

Download
memory/5972-228-0x0000000000000000-mapping.dmp

Download