dcrat | 0f1639c9c76b39ad222eca54a1880f8fca4fe0d0a5d28c381b8d32b57348b88b

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f1639c9c76b39ad222eca54a1880f8fca4fe0d0a5d28c381b8d32b57348b88b.exe
Size

1.3MB
MD5

36b6ad53f0452821013e1d14d2cc44c3
SHA1

e6dc52c89af78ffe345cbf308c38c36fd5058ff6
SHA256

0f1639c9c76b39ad222eca54a1880f8fca4fe0d0a5d28c381b8d32b57348b88b
SHA512

9a0f3f0e76c516f2569a0609fac4c42f5bd24b54fc6286ba2799978b72d427b82b6dd245814c82686778bc09ba304536651bd25b015340811ea8dd6a833e6fff
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	3028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	3028	schtasks.exe

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4000-139-0x00000000006B0000-0x00000000007C0000-memory.dmp	dcrat
C:\Program Files (x86)\Microsoft\Temp\cmd.exe	dcrat
C:\Program Files (x86)\Microsoft\Temp\cmd.exe	dcrat
C:\Program Files (x86)\Microsoft\Temp\cmd.exe	dcrat
C:\Program Files (x86)\Microsoft\Temp\cmd.exe	dcrat
C:\Program Files (x86)\Microsoft\Temp\cmd.exe	dcrat
C:\Program Files (x86)\Microsoft\Temp\cmd.exe	dcrat
C:\Program Files (x86)\Microsoft\Temp\cmd.exe	dcrat
C:\Program Files (x86)\Microsoft\Temp\cmd.exe	dcrat
C:\Program Files (x86)\Microsoft\Temp\cmd.exe	dcrat

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DllCommonsvc.execmd.execmd.execmd.exe0f1639c9c76b39ad222eca54a1880f8fca4fe0d0a5d28c381b8d32b57348b88b.exeWScript.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	0f1639c9c76b39ad222eca54a1880f8fca4fe0d0a5d28c381b8d32b57348b88b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 9 IoCs

Processes:

DllCommonsvc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid process

4000 DllCommonsvc.exe
1248 cmd.exe
5288 cmd.exe
4568 cmd.exe
4924 cmd.exe
3468 cmd.exe
4904 cmd.exe
4016 cmd.exe
4156 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\PackageManifests\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Temp\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Temp\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\6203df4a6bafc7	DllCommonsvc.exe

Drops file in Windows directory 13 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\diagnostics\services.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Themes\aero\ja-JP\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Windows\addins\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Windows\ShellExperiences\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Windows\Resources\Themes\aero\ja-JP\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\addins\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\OCR\en-us\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\ShellExperiences\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Windows\WaaS\smss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4232	schtasks.exe
4688	schtasks.exe
2456	schtasks.exe
2844	schtasks.exe
4316	schtasks.exe
4360	schtasks.exe
3436	schtasks.exe
1532	schtasks.exe
2800	schtasks.exe
5088	schtasks.exe
2672	schtasks.exe
4040	schtasks.exe
1352	schtasks.exe
1804	schtasks.exe
4080	schtasks.exe
3512	schtasks.exe
1032	schtasks.exe
2932	schtasks.exe
4816	schtasks.exe
692	schtasks.exe
1136	schtasks.exe
3416	schtasks.exe
4124	schtasks.exe
2360	schtasks.exe
644	schtasks.exe
1244	schtasks.exe
552	schtasks.exe
3548	schtasks.exe
2040	schtasks.exe
4236	schtasks.exe
3604	schtasks.exe
960	schtasks.exe
2492	schtasks.exe
2320	schtasks.exe
2300	schtasks.exe
3596	schtasks.exe
4448	schtasks.exe
760	schtasks.exe
1448	schtasks.exe
2948	schtasks.exe
5096	schtasks.exe
2668	schtasks.exe
4208	schtasks.exe
4292	schtasks.exe
3360	schtasks.exe
1896	schtasks.exe
1664	schtasks.exe
3492	schtasks.exe
1512	schtasks.exe
220	schtasks.exe
2840	schtasks.exe
4480	schtasks.exe
1340	schtasks.exe
1056	schtasks.exe

Modifies registry class 10 IoCs

Processes:

0f1639c9c76b39ad222eca54a1880f8fca4fe0d0a5d28c381b8d32b57348b88b.exeDllCommonsvc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	0f1639c9c76b39ad222eca54a1880f8fca4fe0d0a5d28c381b8d32b57348b88b.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4000	DllCommonsvc.exe
4000	DllCommonsvc.exe
4000	DllCommonsvc.exe
4000	DllCommonsvc.exe
4000	DllCommonsvc.exe
2520	powershell.exe
2520	powershell.exe
2576	powershell.exe
2576	powershell.exe
3744	powershell.exe
3744	powershell.exe
536	powershell.exe
536	powershell.exe
4864	powershell.exe
4864	powershell.exe
5060	powershell.exe
5060	powershell.exe
2728	powershell.exe
2728	powershell.exe
4704	powershell.exe
4704	powershell.exe
4348	powershell.exe
4348	powershell.exe
1388	powershell.exe
1388	powershell.exe
4016	powershell.exe
4016	powershell.exe
2924	powershell.exe
2924	powershell.exe
2384	powershell.exe
2384	powershell.exe
3132	powershell.exe
3132	powershell.exe
4100	powershell.exe
4100	powershell.exe
2520	powershell.exe
2520	powershell.exe
1536	powershell.exe
1536	powershell.exe
1504	powershell.exe
1504	powershell.exe
3360	powershell.exe
3360	powershell.exe
1424	powershell.exe
1424	powershell.exe
2576	powershell.exe
2576	powershell.exe
3744	powershell.exe
3744	powershell.exe
536	powershell.exe
536	powershell.exe
4864	powershell.exe
4864	powershell.exe
2728	powershell.exe
2728	powershell.exe
4348	powershell.exe
5060	powershell.exe
5060	powershell.exe
4704	powershell.exe
4016	powershell.exe
1388	powershell.exe
4100	powershell.exe
2924	powershell.exe
2384	powershell.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4000	DllCommonsvc.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1248	cmd.exe
Token: SeDebugPrivilege	5288	cmd.exe
Token: SeDebugPrivilege	4568	cmd.exe
Token: SeDebugPrivilege	4924	cmd.exe
Token: SeDebugPrivilege	3468	cmd.exe
Token: SeDebugPrivilege	4904	cmd.exe
Token: SeDebugPrivilege	4016	cmd.exe
Token: SeDebugPrivilege	4156	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0f1639c9c76b39ad222eca54a1880f8fca4fe0d0a5d28c381b8d32b57348b88b.exeWScript.execmd.exeDllCommonsvc.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1508 wrote to memory of 4976	1508	0f1639c9c76b39ad222eca54a1880f8fca4fe0d0a5d28c381b8d32b57348b88b.exe	WScript.exe
PID 1508 wrote to memory of 4976	1508	0f1639c9c76b39ad222eca54a1880f8fca4fe0d0a5d28c381b8d32b57348b88b.exe	WScript.exe
PID 1508 wrote to memory of 4976	1508	0f1639c9c76b39ad222eca54a1880f8fca4fe0d0a5d28c381b8d32b57348b88b.exe	WScript.exe
PID 4976 wrote to memory of 4832	4976	WScript.exe	cmd.exe
PID 4976 wrote to memory of 4832	4976	WScript.exe	cmd.exe
PID 4976 wrote to memory of 4832	4976	WScript.exe	cmd.exe
PID 4832 wrote to memory of 4000	4832	cmd.exe	DllCommonsvc.exe
PID 4832 wrote to memory of 4000	4832	cmd.exe	DllCommonsvc.exe
PID 4000 wrote to memory of 2520	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 2520	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 2576	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 2576	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 3744	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 3744	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 536	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 536	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 4864	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 4864	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 2728	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 2728	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 5060	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 5060	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 4704	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 4704	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 4348	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 4348	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 1388	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 1388	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 4016	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 4016	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 2924	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 2924	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 2384	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 2384	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 3132	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 3132	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 4100	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 4100	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 3360	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 3360	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 1536	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 1536	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 1504	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 1504	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 1424	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 1424	4000	DllCommonsvc.exe	powershell.exe
PID 4000 wrote to memory of 5400	4000	DllCommonsvc.exe	cmd.exe
PID 4000 wrote to memory of 5400	4000	DllCommonsvc.exe	cmd.exe
PID 5400 wrote to memory of 700	5400	cmd.exe	w32tm.exe
PID 5400 wrote to memory of 700	5400	cmd.exe	w32tm.exe
PID 5400 wrote to memory of 1248	5400	cmd.exe	cmd.exe
PID 5400 wrote to memory of 1248	5400	cmd.exe	cmd.exe
PID 1248 wrote to memory of 1136	1248	cmd.exe	cmd.exe
PID 1248 wrote to memory of 1136	1248	cmd.exe	cmd.exe
PID 1136 wrote to memory of 3152	1136	cmd.exe	w32tm.exe
PID 1136 wrote to memory of 3152	1136	cmd.exe	w32tm.exe
PID 1136 wrote to memory of 5288	1136	cmd.exe	cmd.exe
PID 1136 wrote to memory of 5288	1136	cmd.exe	cmd.exe
PID 5288 wrote to memory of 1352	5288	cmd.exe	cmd.exe
PID 5288 wrote to memory of 1352	5288	cmd.exe	cmd.exe
PID 1352 wrote to memory of 4032	1352	cmd.exe	w32tm.exe
PID 1352 wrote to memory of 4032	1352	cmd.exe	w32tm.exe
PID 1352 wrote to memory of 4568	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 4568	1352	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0f1639c9c76b39ad222eca54a1880f8fca4fe0d0a5d28c381b8d32b57348b88b.exe
"C:\Users\Admin\AppData\Local\Temp\0f1639c9c76b39ad222eca54a1880f8fca4fe0d0a5d28c381b8d32b57348b88b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4832

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\RuntimeBroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\cmd.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\cmd.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\OfficeClickToRun.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\PackageManifests\cmd.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\ja-JP\RuntimeBroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\sppsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Idle.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Temp\cmd.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\SppExtComObj.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FNlIYuNVNT.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:5400

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:700

C:\Program Files (x86)\Microsoft\Temp\cmd.exe
"C:\Program Files (x86)\Microsoft\Temp\cmd.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:3152

C:\Program Files (x86)\Microsoft\Temp\cmd.exe
"C:\Program Files (x86)\Microsoft\Temp\cmd.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2RP5SY0RjS.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:4032

C:\Program Files (x86)\Microsoft\Temp\cmd.exe
"C:\Program Files (x86)\Microsoft\Temp\cmd.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"
11⤵
PID:2456

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:1236

C:\Program Files (x86)\Microsoft\Temp\cmd.exe
"C:\Program Files (x86)\Microsoft\Temp\cmd.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat"
13⤵
PID:4908

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:1716

C:\Program Files (x86)\Microsoft\Temp\cmd.exe
"C:\Program Files (x86)\Microsoft\Temp\cmd.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat"
15⤵
PID:4984

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:5724

C:\Program Files (x86)\Microsoft\Temp\cmd.exe
"C:\Program Files (x86)\Microsoft\Temp\cmd.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat"
17⤵
PID:5176

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:4100

C:\Program Files (x86)\Microsoft\Temp\cmd.exe
"C:\Program Files (x86)\Microsoft\Temp\cmd.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat"
19⤵
PID:2384

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:4176

C:\Program Files (x86)\Microsoft\Temp\cmd.exe
"C:\Program Files (x86)\Microsoft\Temp\cmd.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"
21⤵
PID:5984

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\PackageManifests\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\aero\ja-JP\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\aero\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\aero\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\odt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\addins\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Temp\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Temp\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Temp\cmd.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Temp\cmd.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Temp\cmd.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Temp\cmd.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Temp\cmd.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Temp\cmd.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Temp\cmd.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Temp\cmd.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Microsoft\Temp\cmd.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2RP5SY0RjS.bat
Filesize
210B

MD5
793186e52eac88632b7dbed366e22d7b

SHA1
82f790d9d890b1b96d030d5a729b01e40f4fa788

SHA256
1a35b280315089789fdf7835bf0ffc206aa8893a7522a4678e5fff737b86d5f7

SHA512
75ff3b6071596a82d9fc36da786201f9c55e22b91a56c0c11709912bcd88b93a7f803b8a6a3320660085b0b9619b34828f0ff2673d78e3a9d5905fc7b6c07aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat
Filesize
210B

MD5
0c7962a18380f092ae9ce7141179dc0b

SHA1
ed0cfcdb87393cdf26a79411e98298b42ad66a34

SHA256
e3452de931b6e4b0a7d81e528d99de14a6598a20690132b36125fce9bbda8b42

SHA512
5b2a5c6a43614b6ff57bde063289646bb8f22c877d57dfbec54581aa1818ce57c84764b337cc54f948c06c1617e9e9e8b99f7e83500cd0cfee2c31d9a246077c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNlIYuNVNT.bat
Filesize
210B

MD5
244a4951bc03af9f789e8c54abb72548

SHA1
fba0342e0d32e3fac3ebfae322a8c0907454806d

SHA256
76b2ae14ac5a5072e344868ee920e745fb7c73516372745d5c7329eeb0bbbd0f

SHA512
7309d9e980320bac5c452747b60188709bc632bc46c9350403d24af4ca105b0b5b6005bb466133c8b0de68f03bfffdca6d473efde1c4724603b99989c5a139ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat
Filesize
210B

MD5
6159575032a842835d9f8b8f1d899004

SHA1
b6d432f3a0eefa91bb99c0c3eaf0ac07c37abd7e

SHA256
a4cdcf76bcb161e8d4dd158ac26bd61355d13ed58a180901c9b2b271cd10da97

SHA512
8566168727a756e9c5954570227be35eaaba30f08e031890432a0dde85dfa42e8bed010bee494f73a9dba466011bafdb60d7b6affe3fc7ad9c69c37f0f6c2596

Download Submit
C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat
Filesize
210B

MD5
86a66191f0d7ef0754ba833ef363f44a

SHA1
08475fd193a24c6c7531b7c7b9797cfe189ee12e

SHA256
d068b3e545859903a109c11b791778bc2d16e4b69921e43152451c8358fd4d40

SHA512
9e68a896152ae1d7a355bb3bcd2f4e2b971d544ec5bd6b9a993aaff08de61cf9ea2b43896d74c4afc224c19f01aac6560d2be2d9312a9140b856b021eb091ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat
Filesize
210B

MD5
272529f8d9a18c93310757ed55fb5bc8

SHA1
e3f1d69765d08368a9f70668c57ab6d98ac0d3d9

SHA256
b0a1fa8eadc0a637628e9418f3888ce3e6aa32ecd9d2e2b67b9d483f34c03f62

SHA512
b092b29a51bff07e78f72842795fc8a3fde6a1ebcdb09e5b001fb346e2c46bda84cc8dcb8bcc158dfa2d62f3227498763be8fe121e27befed3d2077887b276ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat
Filesize
210B

MD5
272529f8d9a18c93310757ed55fb5bc8

SHA1
e3f1d69765d08368a9f70668c57ab6d98ac0d3d9

SHA256
b0a1fa8eadc0a637628e9418f3888ce3e6aa32ecd9d2e2b67b9d483f34c03f62

SHA512
b092b29a51bff07e78f72842795fc8a3fde6a1ebcdb09e5b001fb346e2c46bda84cc8dcb8bcc158dfa2d62f3227498763be8fe121e27befed3d2077887b276ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat
Filesize
210B

MD5
5fdc31e7dea905b36c03739c642b48e0

SHA1
95979e506b72d6caf34420911d4ff7eec518e28a

SHA256
71a4b5093825648bc30a11b7ee6a1f5a38b9750fd89dd9ecbb48dbee29fc70c2

SHA512
dd1a4762b00cdae27ef1ee2e297c3fa26bd3cdb4f3ad1628b5170e8f0f30d6a2db9f8615d5d6cc73a05442edeea483506b1bce468a241712fdd3ae6c7ae78f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat
Filesize
210B

MD5
9483464fc593b2c50c81d9a0491563ce

SHA1
077ca6f08c7c1cff0da3112dcad6b391eab972ba

SHA256
b8b708b277e5cd8a0b87d7c3c45b3ed1bba0ca8743a5347e60d4145e9dc4c15b

SHA512
4ea420f5a3ed7b6b859da9c8b5811926d92763227fc768a925e5ac2e8fe7fe67bd2e52de67f7379e03c959efd9fad7d6d70a3df93d754caed37a756c41a82215

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/536-163-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/536-206-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/536-144-0x0000000000000000-mapping.dmp

Download
memory/536-278-0x0000000000000000-mapping.dmp

Download
memory/700-182-0x0000000000000000-mapping.dmp

Download
memory/1136-226-0x0000000000000000-mapping.dmp

Download
memory/1236-243-0x0000000000000000-mapping.dmp

Download
memory/1248-225-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/1248-222-0x0000000000000000-mapping.dmp

Download
memory/1248-227-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/1352-234-0x0000000000000000-mapping.dmp

Download
memory/1388-150-0x0000000000000000-mapping.dmp

Download
memory/1388-168-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/1388-211-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/1424-183-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/1424-164-0x0000000000000000-mapping.dmp

Download
memory/1424-215-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/1504-181-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/1504-162-0x0000000000000000-mapping.dmp

Download
memory/1504-219-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/1536-161-0x0000000000000000-mapping.dmp

Download
memory/1536-218-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/1536-180-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/1716-250-0x0000000000000000-mapping.dmp

Download
memory/2384-213-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/2384-171-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/2384-269-0x0000000000000000-mapping.dmp

Download
memory/2384-155-0x0000000000000000-mapping.dmp

Download
memory/2456-241-0x0000000000000000-mapping.dmp

Download
memory/2520-153-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/2520-204-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/2520-151-0x00000225261A0000-0x00000225261C2000-memory.dmp

Filesize
136KB

Download
memory/2520-141-0x0000000000000000-mapping.dmp

Download
memory/2576-205-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/2576-157-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/2576-142-0x0000000000000000-mapping.dmp

Download
memory/2728-166-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/2728-146-0x0000000000000000-mapping.dmp

Download
memory/2728-208-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/2924-170-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/2924-212-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/2924-154-0x0000000000000000-mapping.dmp

Download
memory/3132-214-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/3132-156-0x0000000000000000-mapping.dmp

Download
memory/3132-179-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/3152-229-0x0000000000000000-mapping.dmp

Download
memory/3360-174-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/3360-159-0x0000000000000000-mapping.dmp

Download
memory/3360-221-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/3468-252-0x0000000000000000-mapping.dmp

Download
memory/3468-258-0x00007FF81C030000-0x00007FF81CAF1000-memory.dmp

Filesize
10.8MB

Download
memory/3468-254-0x00007FF81C030000-0x00007FF81CAF1000-memory.dmp

Filesize
10.8MB

Download
memory/3744-143-0x0000000000000000-mapping.dmp

Download
memory/3744-160-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/3744-207-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4000-136-0x0000000000000000-mapping.dmp

Download
memory/4000-140-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4000-172-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4000-139-0x00000000006B0000-0x00000000007C0000-memory.dmp

Filesize
1.1MB

Download
memory/4016-203-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4016-178-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4016-266-0x0000000000000000-mapping.dmp

Download
memory/4016-152-0x0000000000000000-mapping.dmp

Download
memory/4016-272-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4016-268-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4032-236-0x0000000000000000-mapping.dmp

Download
memory/4100-200-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4100-264-0x0000000000000000-mapping.dmp

Download
memory/4100-173-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4100-158-0x0000000000000000-mapping.dmp

Download
memory/4156-273-0x0000000000000000-mapping.dmp

Download
memory/4156-275-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4156-279-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4176-271-0x0000000000000000-mapping.dmp

Download
memory/4348-167-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4348-149-0x0000000000000000-mapping.dmp

Download
memory/4348-202-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4568-244-0x00007FF81C030000-0x00007FF81CAF1000-memory.dmp

Filesize
10.8MB

Download
memory/4568-240-0x00007FF81C030000-0x00007FF81CAF1000-memory.dmp

Filesize
10.8MB

Download
memory/4568-238-0x0000000000000000-mapping.dmp

Download
memory/4704-148-0x0000000000000000-mapping.dmp

Download
memory/4704-201-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4704-177-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4832-135-0x0000000000000000-mapping.dmp

Download
memory/4864-175-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4864-209-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/4864-145-0x0000000000000000-mapping.dmp

Download
memory/4904-259-0x0000000000000000-mapping.dmp

Download
memory/4904-261-0x00007FF81C030000-0x00007FF81CAF1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-265-0x00007FF81C030000-0x00007FF81CAF1000-memory.dmp

Filesize
10.8MB

Download
memory/4908-248-0x0000000000000000-mapping.dmp

Download
memory/4924-245-0x0000000000000000-mapping.dmp

Download
memory/4924-251-0x00007FF81C030000-0x00007FF81CAF1000-memory.dmp

Filesize
10.8MB

Download
memory/4924-247-0x00007FF81C030000-0x00007FF81CAF1000-memory.dmp

Filesize
10.8MB

Download
memory/4976-132-0x0000000000000000-mapping.dmp

Download
memory/4984-255-0x0000000000000000-mapping.dmp

Download
memory/5060-147-0x0000000000000000-mapping.dmp

Download
memory/5060-165-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/5060-210-0x00007FF81C150000-0x00007FF81CC11000-memory.dmp

Filesize
10.8MB

Download
memory/5176-262-0x0000000000000000-mapping.dmp

Download
memory/5288-237-0x00007FF81C030000-0x00007FF81CAF1000-memory.dmp

Filesize
10.8MB

Download
memory/5288-233-0x00007FF81C030000-0x00007FF81CAF1000-memory.dmp

Filesize
10.8MB

Download
memory/5288-230-0x0000000000000000-mapping.dmp

Download
memory/5400-169-0x0000000000000000-mapping.dmp

Download
memory/5724-257-0x0000000000000000-mapping.dmp

Download
memory/5984-276-0x0000000000000000-mapping.dmp

Download