dcrat | b7033b20978b49cb0338dda792f4fe4069a03610ff2817725122ba35d0db6810

Analysis

max time kernel
144s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
03-02-2023 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7033b20978b49cb0338dda792f4fe4069a03610ff2817725122ba35d0db6810.exe
Size

1.3MB
MD5

5ea6eeb44b949a68c672585aeca4a504
SHA1

8f3ff1b9009f49d2b41f9a3848f5065919ec595e
SHA256

b7033b20978b49cb0338dda792f4fe4069a03610ff2817725122ba35d0db6810
SHA512

7436cc2b2c97e89d2fb92f00e7af5ce2d05c501cd4d94a6a5008a6d3b2825e83ae2c6ef4e5cb6666faa7a23cdbfc2db9af5dba4ee325d5dc5d97bd17944ffe50
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	96	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	204	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	4176	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	4176	schtasks.exe

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4656-286-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
C:\Windows\Logs\HomeGroup\fontdrvhost.exe	dcrat
C:\Windows\Logs\HomeGroup\fontdrvhost.exe	dcrat
C:\Windows\Logs\HomeGroup\fontdrvhost.exe	dcrat
C:\Windows\Logs\HomeGroup\fontdrvhost.exe	dcrat
C:\Windows\Logs\HomeGroup\fontdrvhost.exe	dcrat
C:\Windows\Logs\HomeGroup\fontdrvhost.exe	dcrat
C:\Windows\Logs\HomeGroup\fontdrvhost.exe	dcrat
C:\Windows\Logs\HomeGroup\fontdrvhost.exe	dcrat
C:\Windows\Logs\HomeGroup\fontdrvhost.exe	dcrat
C:\Windows\Logs\HomeGroup\fontdrvhost.exe	dcrat
C:\Windows\Logs\HomeGroup\fontdrvhost.exe	dcrat
C:\Windows\Logs\HomeGroup\fontdrvhost.exe	dcrat
C:\Windows\Logs\HomeGroup\fontdrvhost.exe	dcrat

Executes dropped EXE 13 IoCs

Processes:

DllCommonsvc.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

pid	process
4656	DllCommonsvc.exe
4156	fontdrvhost.exe
5580	fontdrvhost.exe
5764	fontdrvhost.exe
5968	fontdrvhost.exe
4788	fontdrvhost.exe
1432	fontdrvhost.exe
380	fontdrvhost.exe
1012	fontdrvhost.exe
4816	fontdrvhost.exe
4060	fontdrvhost.exe
4188	fontdrvhost.exe
3176	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 9 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\Icons\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Services\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Services\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\SearchUI.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\dab4d89cac03ec	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\Logs\HomeGroup\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\Logs\HomeGroup\5b884080fd4f94	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4116	schtasks.exe
5064	schtasks.exe
952	schtasks.exe
2148	schtasks.exe
2856	schtasks.exe
2408	schtasks.exe
2212	schtasks.exe
3376	schtasks.exe
5104	schtasks.exe
1088	schtasks.exe
456	schtasks.exe
856	schtasks.exe
4192	schtasks.exe
2848	schtasks.exe
1856	schtasks.exe
1480	schtasks.exe
3180	schtasks.exe
4140	schtasks.exe
980	schtasks.exe
4316	schtasks.exe
1852	schtasks.exe
1412	schtasks.exe
2296	schtasks.exe
4768	schtasks.exe
1220	schtasks.exe
1400	schtasks.exe
2240	schtasks.exe
4120	schtasks.exe
2072	schtasks.exe
1392	schtasks.exe
2140	schtasks.exe
2728	schtasks.exe
240	schtasks.exe
96	schtasks.exe
3400	schtasks.exe
5084	schtasks.exe
2144	schtasks.exe
204	schtasks.exe
1740	schtasks.exe
344	schtasks.exe
3296	schtasks.exe
4156	schtasks.exe
468	schtasks.exe
692	schtasks.exe
904	schtasks.exe
2216	schtasks.exe
224	schtasks.exe
1840	schtasks.exe

Modifies registry class 12 IoCs

Processes:

fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exeb7033b20978b49cb0338dda792f4fe4069a03610ff2817725122ba35d0db6810.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	b7033b20978b49cb0338dda792f4fe4069a03610ff2817725122ba35d0db6810.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exe

pid	process
4656	DllCommonsvc.exe
4656	DllCommonsvc.exe
4656	DllCommonsvc.exe
4656	DllCommonsvc.exe
404	powershell.exe
404	powershell.exe
3796	powershell.exe
3796	powershell.exe
2836	powershell.exe
2836	powershell.exe
4444	powershell.exe
4444	powershell.exe
2736	powershell.exe
2736	powershell.exe
5100	powershell.exe
5100	powershell.exe
3824	powershell.exe
3824	powershell.exe
4948	powershell.exe
4948	powershell.exe
4964	powershell.exe
4964	powershell.exe
1320	powershell.exe
1320	powershell.exe
4872	powershell.exe
4872	powershell.exe
1012	powershell.exe
1012	powershell.exe
4600	powershell.exe
4600	powershell.exe
4588	powershell.exe
4588	powershell.exe
3708	powershell.exe
3708	powershell.exe
1320	powershell.exe
4200	powershell.exe
4200	powershell.exe
1012	powershell.exe
4948	powershell.exe
3224	powershell.exe
3224	powershell.exe
4964	powershell.exe
3708	powershell.exe
4156	fontdrvhost.exe
4156	fontdrvhost.exe
404	powershell.exe
404	powershell.exe
3796	powershell.exe
3796	powershell.exe
2836	powershell.exe
2836	powershell.exe
4444	powershell.exe
2736	powershell.exe
3824	powershell.exe
5100	powershell.exe
4872	powershell.exe
3224	powershell.exe
4200	powershell.exe
4600	powershell.exe
4588	powershell.exe
1012	powershell.exe
4948	powershell.exe
1320	powershell.exe
4964	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4656	DllCommonsvc.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	4156	fontdrvhost.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeIncreaseQuotaPrivilege	1012	powershell.exe
Token: SeSecurityPrivilege	1012	powershell.exe
Token: SeTakeOwnershipPrivilege	1012	powershell.exe
Token: SeLoadDriverPrivilege	1012	powershell.exe
Token: SeSystemProfilePrivilege	1012	powershell.exe
Token: SeSystemtimePrivilege	1012	powershell.exe
Token: SeProfSingleProcessPrivilege	1012	powershell.exe
Token: SeIncBasePriorityPrivilege	1012	powershell.exe
Token: SeCreatePagefilePrivilege	1012	powershell.exe
Token: SeBackupPrivilege	1012	powershell.exe
Token: SeRestorePrivilege	1012	powershell.exe
Token: SeShutdownPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeSystemEnvironmentPrivilege	1012	powershell.exe
Token: SeRemoteShutdownPrivilege	1012	powershell.exe
Token: SeUndockPrivilege	1012	powershell.exe
Token: SeManageVolumePrivilege	1012	powershell.exe
Token: 33	1012	powershell.exe
Token: 34	1012	powershell.exe
Token: 35	1012	powershell.exe
Token: 36	1012	powershell.exe
Token: SeIncreaseQuotaPrivilege	4948	powershell.exe
Token: SeSecurityPrivilege	4948	powershell.exe
Token: SeTakeOwnershipPrivilege	4948	powershell.exe
Token: SeLoadDriverPrivilege	4948	powershell.exe
Token: SeSystemProfilePrivilege	4948	powershell.exe
Token: SeSystemtimePrivilege	4948	powershell.exe
Token: SeProfSingleProcessPrivilege	4948	powershell.exe
Token: SeIncBasePriorityPrivilege	4948	powershell.exe
Token: SeCreatePagefilePrivilege	4948	powershell.exe
Token: SeBackupPrivilege	4948	powershell.exe
Token: SeRestorePrivilege	4948	powershell.exe
Token: SeShutdownPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeSystemEnvironmentPrivilege	4948	powershell.exe
Token: SeRemoteShutdownPrivilege	4948	powershell.exe
Token: SeUndockPrivilege	4948	powershell.exe
Token: SeManageVolumePrivilege	4948	powershell.exe
Token: 33	4948	powershell.exe
Token: 34	4948	powershell.exe
Token: 35	4948	powershell.exe
Token: 36	4948	powershell.exe
Token: SeIncreaseQuotaPrivilege	1320	powershell.exe
Token: SeSecurityPrivilege	1320	powershell.exe
Token: SeTakeOwnershipPrivilege	1320	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b7033b20978b49cb0338dda792f4fe4069a03610ff2817725122ba35d0db6810.exeWScript.execmd.exeDllCommonsvc.exefontdrvhost.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exefontdrvhost.exe

description	pid	process	target process
PID 4740 wrote to memory of 4528	4740	b7033b20978b49cb0338dda792f4fe4069a03610ff2817725122ba35d0db6810.exe	WScript.exe
PID 4740 wrote to memory of 4528	4740	b7033b20978b49cb0338dda792f4fe4069a03610ff2817725122ba35d0db6810.exe	WScript.exe
PID 4740 wrote to memory of 4528	4740	b7033b20978b49cb0338dda792f4fe4069a03610ff2817725122ba35d0db6810.exe	WScript.exe
PID 4528 wrote to memory of 796	4528	WScript.exe	cmd.exe
PID 4528 wrote to memory of 796	4528	WScript.exe	cmd.exe
PID 4528 wrote to memory of 796	4528	WScript.exe	cmd.exe
PID 796 wrote to memory of 4656	796	cmd.exe	DllCommonsvc.exe
PID 796 wrote to memory of 4656	796	cmd.exe	DllCommonsvc.exe
PID 4656 wrote to memory of 404	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 404	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 3796	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 3796	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 2836	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 2836	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 4444	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 4444	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 2736	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 2736	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 5100	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 5100	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 3824	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 3824	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 4964	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 4964	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 4948	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 4948	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 1320	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 1320	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 4872	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 4872	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 1012	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 1012	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 4600	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 4600	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 4588	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 4588	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 3224	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 3224	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 3708	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 3708	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 4200	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 4200	4656	DllCommonsvc.exe	powershell.exe
PID 4656 wrote to memory of 4156	4656	DllCommonsvc.exe	fontdrvhost.exe
PID 4656 wrote to memory of 4156	4656	DllCommonsvc.exe	fontdrvhost.exe
PID 4156 wrote to memory of 1224	4156	fontdrvhost.exe	cmd.exe
PID 4156 wrote to memory of 1224	4156	fontdrvhost.exe	cmd.exe
PID 1224 wrote to memory of 64	1224	cmd.exe	w32tm.exe
PID 1224 wrote to memory of 64	1224	cmd.exe	w32tm.exe
PID 1224 wrote to memory of 5580	1224	cmd.exe	fontdrvhost.exe
PID 1224 wrote to memory of 5580	1224	cmd.exe	fontdrvhost.exe
PID 5580 wrote to memory of 5688	5580	fontdrvhost.exe	cmd.exe
PID 5580 wrote to memory of 5688	5580	fontdrvhost.exe	cmd.exe
PID 5688 wrote to memory of 5744	5688	cmd.exe	w32tm.exe
PID 5688 wrote to memory of 5744	5688	cmd.exe	w32tm.exe
PID 5688 wrote to memory of 5764	5688	cmd.exe	fontdrvhost.exe
PID 5688 wrote to memory of 5764	5688	cmd.exe	fontdrvhost.exe
PID 5764 wrote to memory of 5888	5764	fontdrvhost.exe	cmd.exe
PID 5764 wrote to memory of 5888	5764	fontdrvhost.exe	cmd.exe
PID 5888 wrote to memory of 5948	5888	cmd.exe	w32tm.exe
PID 5888 wrote to memory of 5948	5888	cmd.exe	w32tm.exe
PID 5888 wrote to memory of 5968	5888	cmd.exe	fontdrvhost.exe
PID 5888 wrote to memory of 5968	5888	cmd.exe	fontdrvhost.exe
PID 5968 wrote to memory of 6068	5968	fontdrvhost.exe	cmd.exe
PID 5968 wrote to memory of 6068	5968	fontdrvhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b7033b20978b49cb0338dda792f4fe4069a03610ff2817725122ba35d0db6810.exe
"C:\Users\Admin\AppData\Local\Temp\b7033b20978b49cb0338dda792f4fe4069a03610ff2817725122ba35d0db6810.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\HomeGroup\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
    - - C:\Windows\Logs\HomeGroup\fontdrvhost.exe
        
        "C:\Windows\Logs\HomeGroup\fontdrvhost.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4156
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:64
        
        C:\Windows\Logs\HomeGroup\fontdrvhost.exe
        
        "C:\Windows\Logs\HomeGroup\fontdrvhost.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5744
        
        C:\Windows\Logs\HomeGroup\fontdrvhost.exe
        
        "C:\Windows\Logs\HomeGroup\fontdrvhost.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:5948
        
        C:\Windows\Logs\HomeGroup\fontdrvhost.exe
        
        "C:\Windows\Logs\HomeGroup\fontdrvhost.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtXcZTVakC.bat"
        12⤵
        
        PID:6068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:6124
        
        C:\Windows\Logs\HomeGroup\fontdrvhost.exe
        
        "C:\Windows\Logs\HomeGroup\fontdrvhost.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat"
        14⤵
        
        PID:5308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4296
        
        C:\Windows\Logs\HomeGroup\fontdrvhost.exe
        
        "C:\Windows\Logs\HomeGroup\fontdrvhost.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"
        16⤵
        
        PID:1860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2216
        
        C:\Windows\Logs\HomeGroup\fontdrvhost.exe
        
        "C:\Windows\Logs\HomeGroup\fontdrvhost.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat"
        18⤵
        
        PID:5180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4948
        
        C:\Windows\Logs\HomeGroup\fontdrvhost.exe
        
        "C:\Windows\Logs\HomeGroup\fontdrvhost.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat"
        20⤵
        
        PID:4924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1484
        
        C:\Windows\Logs\HomeGroup\fontdrvhost.exe
        
        "C:\Windows\Logs\HomeGroup\fontdrvhost.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat"
        22⤵
        
        PID:544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4160
        
        C:\Windows\Logs\HomeGroup\fontdrvhost.exe
        
        "C:\Windows\Logs\HomeGroup\fontdrvhost.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat"
        24⤵
        
        PID:3876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4036
        
        C:\Windows\Logs\HomeGroup\fontdrvhost.exe
        
        "C:\Windows\Logs\HomeGroup\fontdrvhost.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat"
        26⤵
        
        PID:5340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2852
        
        C:\Windows\Logs\HomeGroup\fontdrvhost.exe
        
        "C:\Windows\Logs\HomeGroup\fontdrvhost.exe"
        27⤵
        Executes dropped EXE
        
        PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\Pictures\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Pictures\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Services\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Services\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\HomeGroup\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\HomeGroup\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:96

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\odt\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38e9a4075f39bf969cd6e01cf8e55452

SHA1
69025224f8323569b06a7dffb24845ea88e30f85

SHA256
75e5623a1fcd6e47b415bfab6da796dd8ff66de6b2c93a82c6a9582b1ccb49c3

SHA512
0b8760915a8cb5be5bae737c604db92272715ec13392d9804f7ce89a55153f09cd6f381e07b0103ef038fffee63f6f939f7974edc089641ff91482c54b1c16dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38e9a4075f39bf969cd6e01cf8e55452

SHA1
69025224f8323569b06a7dffb24845ea88e30f85

SHA256
75e5623a1fcd6e47b415bfab6da796dd8ff66de6b2c93a82c6a9582b1ccb49c3

SHA512
0b8760915a8cb5be5bae737c604db92272715ec13392d9804f7ce89a55153f09cd6f381e07b0103ef038fffee63f6f939f7974edc089641ff91482c54b1c16dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38e9a4075f39bf969cd6e01cf8e55452

SHA1
69025224f8323569b06a7dffb24845ea88e30f85

SHA256
75e5623a1fcd6e47b415bfab6da796dd8ff66de6b2c93a82c6a9582b1ccb49c3

SHA512
0b8760915a8cb5be5bae737c604db92272715ec13392d9804f7ce89a55153f09cd6f381e07b0103ef038fffee63f6f939f7974edc089641ff91482c54b1c16dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8fea6a1f907ea9d598c00753971d1af9

SHA1
74683587aec00cd0dbcb7d9f143ef46b90d49454

SHA256
65cd52d8c4f14b77ea9547bbabd7333f94c3abd81ee5cbaa405e499bd6b0f824

SHA512
c4d8a744f87ba9bb269429b41da82ef52d5c9f025835a0fb655d65b466e89552577b9dcc17046bc8dfcc62787ef1f8bb8679d623381f0b7c7cb7fdb435ebe56a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d0ca99c015360d056a5a526626e99787

SHA1
e827d41af2b5c51de2501c28383ce3d186c1c765

SHA256
602caaf92545888816609b253508ce66c61304e9616541193aa61dcf75c24127

SHA512
7a878be3fdb992c4133cbafce7fa7ddd747bcba17a8622b056a1b1b3bcf778831a95a6bb073fbc0f3e463bcc7209db737f9334b5e0d8ba5263434b7ad87de649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cac5d8f479d77471e09fc1d032944d57

SHA1
6e9cbfa1e26e246d6917eeb3b3d61b77d7e60458

SHA256
155916495e941b7955f3dd0090a8d22d54aebda1b53518ae09f178ecdd7bc82a

SHA512
e3e746b9cb82bcb3ccc0c3f30b110b2df81f7b32e2f56ee2f34b849ce90779b954b3ab0835692eccaff5ea5efb3389c4a566a5c603923342c24475f021abe1fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d924e4e7ec6535f75b290865b0455240

SHA1
172d49738c3e8b8c5ced4eff610231f1feec7eef

SHA256
5fa8f34301cbcbee52a10c3bf5446f8a9bb98e2a289fb972bc8b4db757d88e3e

SHA512
033b27bb29a0f743a76ae2097325d96129bd52298c4b5150c8cbf30f910bd5320d1f9c4d6209f8451e143f32305fa2f5743c443bf856ec560157180c76b21493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e728613d0bf04d9d0d80d6127326b8df

SHA1
37fb2a98dd22a9efd9795a65855afec3b9ea13e3

SHA256
1365158be5af6b7a2c0e630f5d811c2986c6b34882d8d3727518679475c23496

SHA512
a8e9b3ee7e5df26ef5e80e25dcdf16c65446471153507a6d877342ada80bb303b41a76d39d519a233647c2f223886cf95ea0449ee2e8c6b773ebedbd407bf5fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
011095fc2d4d9d2bfe3a5cd37f1a97b2

SHA1
4a97cef624002b16c0e6a189cc96bc541058cf5f

SHA256
943a09648c60080343e1ffa6039777231b8f5dcacbc4eec9ba4071dd81250cd8

SHA512
e6723eaa708b61c4d91bd1b32a12f64817e7ad97684a1047beec4ffbc7a5a40e93b981cd081dd22d5c1a7f774adae94460828a03e793ed750bf7c3dd7b4d8034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
32a9b9f6fb926fd963d02734ae65f137

SHA1
4ffc3f73dfee65ec25b8671301fddfdb7e0057b0

SHA256
9b9379573cb7ab9251760ac0907c8919a1680aba8b76b6ebc671972bc6117975

SHA512
3e1032386957c12ac21e97154ef0f6d1d66cc5aa11adc228f98b22b5189cec40f4c8ea2fc9e8ce6c3a9aad9f58572c6e669462f2974a837fd99a5c8c72aac4ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
32a9b9f6fb926fd963d02734ae65f137

SHA1
4ffc3f73dfee65ec25b8671301fddfdb7e0057b0

SHA256
9b9379573cb7ab9251760ac0907c8919a1680aba8b76b6ebc671972bc6117975

SHA512
3e1032386957c12ac21e97154ef0f6d1d66cc5aa11adc228f98b22b5189cec40f4c8ea2fc9e8ce6c3a9aad9f58572c6e669462f2974a837fd99a5c8c72aac4ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
422ac3f0f09fe72712e533c001df5618

SHA1
968cf07c7559edeb0c60e256e03cea06eca40804

SHA256
1da7dfdac3f44a8a7e1333a96c3bb1d5e059471da2a1edfe92ba5dba33a2d625

SHA512
de6bd0836fc57cdb2a734750fb093297b422549385ca4b80c5a95ca53ed62db58d7d0c1c9acfd461953c66f756dcf27df7b09c0d90234c8fb634a645b807ce02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83f0f1937b9a8e85f35d906b321dbe25

SHA1
4b138b0949020c0a1dcd2ba66d4f0ab14f8c89b8

SHA256
8f8294c63846680dc178107b6c7a647ca097be39928c70df1362b6314367fecb

SHA512
42ec227a99b9ce4aa1b373cbaab8639d3a44149ef6c8600843ee8e813324421dc32cd491c122512c44800fecff561e30de9709086ce931718a61a1af23966cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83f0f1937b9a8e85f35d906b321dbe25

SHA1
4b138b0949020c0a1dcd2ba66d4f0ab14f8c89b8

SHA256
8f8294c63846680dc178107b6c7a647ca097be39928c70df1362b6314367fecb

SHA512
42ec227a99b9ce4aa1b373cbaab8639d3a44149ef6c8600843ee8e813324421dc32cd491c122512c44800fecff561e30de9709086ce931718a61a1af23966cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
082d79c15b90435eb7953913153ac2d3

SHA1
deea8b13ef952bfb33d0268b3b07016dde796eaa

SHA256
baa9b65eb385fd2ee5a7eb8f2491381d0de914d6b575ec0d36f3267383e62182

SHA512
7114c438ca181ae5ec7698cf8768f6a0de2c85c3916c893864320b2a4b79697ab0e244dfbde4222848e273a173c51a50b2dd6ec890805c2cf97a35d82020276e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat

Filesize
206B

MD5
a4603e2a7ceecc8ee38a31b0649f87d1

SHA1
d3255ef60f25ec5bcc40c645be3d879d301c3946

SHA256
c8a789a436e78a0a44c0487606f1dc43ae665309f679deb5dc3ad9240d5ac814

SHA512
e926fa679f5f3906c8ebcb6b93c68e0f3db93f357a239339b5f74bf164f84a95860ec6788e2af247d4d8cf5ebfd5db093092ce9cd421dbb6fab6ade3b3a67af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat

Filesize
206B

MD5
18794e19dec9058fee5a66c0a3d42f43

SHA1
1499a98e19da35a5695bdb165e6809ca2b7b7aa4

SHA256
607d64f82543649304d37d5fdb7cc272cbdb719dafd0505c4290dbf344436aeb

SHA512
a6512f69d49ec9f3f9c9255d44cdfa5d3e370526571645076ce3352427fb20f359a979a82945e4f064867dd3ee1610b0b921c050c7fd6f2df6ecf5c91c1f0c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
206B

MD5
0a183a6fe8cf1c0ecbb2d75a83bc58a4

SHA1
4c70380adc842e73e9aeafdc9d28b9f0e0d392c3

SHA256
37f31f079fd5714aa715abf7698407fd4c88b6db8f5ec32dbd4b794a75d6ede9

SHA512
cfb3f5e312bc1935be4bff1dedb6a703d187733c2012f4c03376069730bc42cad325e9aef164b405c959ab0a67f62f3426da2669913b6e44cabb105837eeeb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat

Filesize
206B

MD5
730cd8df4904f27fa1cc3006600596ee

SHA1
408c060e74c23e09f20f5884ecf081fbef3f318f

SHA256
79a312f6924726d92688815d5a0bff29cd9940516e7b1e219aa0d8803cc397f2

SHA512
b15091ff4880d2fc282d76d9770342fb41cb6c3b44a088329b6591e9f1274cc7bf9dfa5a9def79acceebeb68458efd62e3a61fc1e9eeb33f09e45af11e42a101

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat

Filesize
206B

MD5
20481d283881013d924e98a9ad4921ac

SHA1
0398a021929f75741e787855445398037bb3b5a5

SHA256
53b0d22cfaa9bb4639a54a756a73b9ab309a34f0642a03c9954cc5fa7f52efdc

SHA512
1f53aaffde72074a87967c6f4e23aa57066470510ad9e5bf51da2fcf44a942b5a746f9d088eaac7638ef29c7f994549eb4d7ac7b88f7731169ccd96f2c9dc1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QtXcZTVakC.bat

Filesize
206B

MD5
9d3a6209b8d77b5620feebe2b03bdd15

SHA1
48a35bb0d8128d0d4b087086a2a7e7ac2c77369b

SHA256
9a241d39963e33dc394a77bee02dbcf88e68e7441897f08a0e82246eba08153c

SHA512
93e24535a3785b09a2938815e0c793300f066e1de79614edda568d97895c7b90509e0725c6ed0d2a33ff6a80ec4b3caddd61d99035934c777ac577f2ff13fd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat

Filesize
206B

MD5
5f736fb2bbdd14b55d1ce9c95d40c7d1

SHA1
ecc5d596e066650ad8f7f68dfcdd66b67507b14e

SHA256
d898670452b0c2f96dccd64beaea2ab68daf250b5f7bba35678c06f68e2da07c

SHA512
e8fdb4cbea7ca9dd75e26cf210e9b60091e912c56c82b6bdbf0efacfec98761613eda67e2f880e4f604ffc3c031d23963c3dad16a079843097e26c5abdc02308

Download Submit
C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat

Filesize
206B

MD5
852f78816e257f7f087d59daf08eff10

SHA1
123c7693b1f8dc179651fcc5d50aa7910d930b16

SHA256
c01a25a7cccc2a9d566457417a54bbbda0cef6f5b3ab39b20b1e14af9444fd72

SHA512
435c1196567cd04fdb5ec1a92f872e3ec523a0a5e40b19e6afa5dd03c9c05517eb5615ba2505331e0f27644f91a1ad633aed2cd772cd175a33d4e973c286ffcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat

Filesize
206B

MD5
e0138a6dcbffcf6ac7feb7df3b21a0cd

SHA1
82b1b74c35c5ae30807e1b590cc22fa2750c0e08

SHA256
9578c86737c770736736d4144ee0c022042e0643bacf7c11bb6b1b841de5675b

SHA512
cf0d99a81fbcdd453858a5c5781a289d34ba8e200d022d166112c6b638007205caf949d5f40e2ff023bdde29483c61f3772722ce672b26a487a8cf07b6521652

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat

Filesize
206B

MD5
5e900091caeb309c11cc7eedbc2c7d70

SHA1
af039c3e9688120475d64a549c5b2d1630bd6b6a

SHA256
9cf2bcf99746fc73c2fe8093134487876240db8e2b717459404b837469b9002a

SHA512
b72bbe9c3f2fc06f9d52aeacb663ad7a9fcd75fdb1f566978cdb97052b3b9d8d53c7d433031ff6a44ae5c54d9bc9697015aaa198d3645cc77598afa171583603

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat

Filesize
206B

MD5
c8cf43b5adeaee421e2447f531b41163

SHA1
ce565bbd46288a1234b4ad2cf38082d4c2bd5203

SHA256
f86bb997f2ab2800a041b8cbe1bf529eca597700ab5ad615d1488af8044bd30b

SHA512
4a86b4b867859ebe5643cc6755b90484b485931107cbcd9f953697291f57bcf2f325e7c38a4c67ac7f53e437821a78c0fd9f2f33b7da6ec4b44e6dc4f3b422e0

Download Submit
C:\Windows\Logs\HomeGroup\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Logs\HomeGroup\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Logs\HomeGroup\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Logs\HomeGroup\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Logs\HomeGroup\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Logs\HomeGroup\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Logs\HomeGroup\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Logs\HomeGroup\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Logs\HomeGroup\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Logs\HomeGroup\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Logs\HomeGroup\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Logs\HomeGroup\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Logs\HomeGroup\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/64-825-0x0000000000000000-mapping.dmp

Download
memory/380-920-0x0000000000000000-mapping.dmp

Download
memory/380-922-0x00000000026A0000-0x00000000026B2000-memory.dmp

Filesize
72KB

Download
memory/404-373-0x000001E166B70000-0x000001E166B92000-memory.dmp

Filesize
136KB

Download
memory/404-291-0x0000000000000000-mapping.dmp

Download
memory/544-933-0x0000000000000000-mapping.dmp

Download
memory/796-260-0x0000000000000000-mapping.dmp

Download
memory/1012-309-0x0000000000000000-mapping.dmp

Download
memory/1012-414-0x000001B99BD30000-0x000001B99BDA6000-memory.dmp

Filesize
472KB

Download
memory/1012-926-0x0000000000000000-mapping.dmp

Download
memory/1224-797-0x0000000000000000-mapping.dmp

Download
memory/1320-304-0x0000000000000000-mapping.dmp

Download
memory/1432-915-0x0000000000000000-mapping.dmp

Download
memory/1484-930-0x0000000000000000-mapping.dmp

Download
memory/1860-917-0x0000000000000000-mapping.dmp

Download
memory/2216-919-0x0000000000000000-mapping.dmp

Download
memory/2736-295-0x0000000000000000-mapping.dmp

Download
memory/2836-293-0x0000000000000000-mapping.dmp

Download
memory/2852-945-0x0000000000000000-mapping.dmp

Download
memory/3176-946-0x0000000000000000-mapping.dmp

Download
memory/3176-948-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download
memory/3224-321-0x0000000000000000-mapping.dmp

Download
memory/3708-324-0x0000000000000000-mapping.dmp

Download
memory/3796-292-0x0000000000000000-mapping.dmp

Download
memory/3824-297-0x0000000000000000-mapping.dmp

Download
memory/3876-938-0x0000000000000000-mapping.dmp

Download
memory/4036-940-0x0000000000000000-mapping.dmp

Download
memory/4060-936-0x0000000000000000-mapping.dmp

Download
memory/4156-348-0x0000000000000000-mapping.dmp

Download
memory/4160-935-0x0000000000000000-mapping.dmp

Download
memory/4188-941-0x0000000000000000-mapping.dmp

Download
memory/4200-330-0x0000000000000000-mapping.dmp

Download
memory/4296-914-0x0000000000000000-mapping.dmp

Download
memory/4444-294-0x0000000000000000-mapping.dmp

Download
memory/4528-185-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-186-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-184-0x0000000000000000-mapping.dmp

Download
memory/4588-317-0x0000000000000000-mapping.dmp

Download
memory/4600-312-0x0000000000000000-mapping.dmp

Download
memory/4656-290-0x0000000000D80000-0x0000000000D8C000-memory.dmp

Filesize
48KB

Download
memory/4656-289-0x0000000000D60000-0x0000000000D6C000-memory.dmp

Filesize
48KB

Download
memory/4656-288-0x0000000000D70000-0x0000000000D7C000-memory.dmp

Filesize
48KB

Download
memory/4656-287-0x0000000000D50000-0x0000000000D62000-memory.dmp

Filesize
72KB

Download
memory/4656-286-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/4656-283-0x0000000000000000-mapping.dmp

Download
memory/4740-165-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-155-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-121-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-122-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-123-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-183-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-182-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-181-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-180-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-179-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-177-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-178-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-176-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-175-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-169-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-171-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-173-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-174-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-172-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-170-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-168-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-167-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-166-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-120-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-164-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-160-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-163-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-125-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-162-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-161-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-126-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-159-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-128-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-158-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-129-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-131-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-134-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-157-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-133-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-136-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-156-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-138-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-139-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-137-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-140-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-153-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-141-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-154-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-152-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-149-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-151-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-150-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-148-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-147-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-143-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-146-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-145-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-135-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-144-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-132-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-130-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4740-142-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4788-910-0x0000000000000000-mapping.dmp

Download
memory/4816-931-0x0000000000000000-mapping.dmp

Download
memory/4872-306-0x0000000000000000-mapping.dmp

Download
memory/4924-928-0x0000000000000000-mapping.dmp

Download
memory/4948-925-0x0000000000000000-mapping.dmp

Download
memory/4948-301-0x0000000000000000-mapping.dmp

Download
memory/4964-300-0x0000000000000000-mapping.dmp

Download
memory/5100-296-0x0000000000000000-mapping.dmp

Download
memory/5180-923-0x0000000000000000-mapping.dmp

Download
memory/5308-912-0x0000000000000000-mapping.dmp

Download
memory/5340-943-0x0000000000000000-mapping.dmp

Download
memory/5580-893-0x0000000000000000-mapping.dmp

Download
memory/5688-896-0x0000000000000000-mapping.dmp

Download
memory/5744-898-0x0000000000000000-mapping.dmp

Download
memory/5764-901-0x0000000000970000-0x0000000000982000-memory.dmp

Filesize
72KB

Download
memory/5764-899-0x0000000000000000-mapping.dmp

Download
memory/5888-902-0x0000000000000000-mapping.dmp

Download
memory/5948-904-0x0000000000000000-mapping.dmp

Download
memory/5968-905-0x0000000000000000-mapping.dmp

Download
memory/6068-907-0x0000000000000000-mapping.dmp

Download
memory/6124-909-0x0000000000000000-mapping.dmp

Download