dcrat | 2103fe6b0cd70d1ed32bdd78b042b4e973eb3677da60cb288c62d5a6adb62f72

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2103fe6b0cd70d1ed32bdd78b042b4e973eb3677da60cb288c62d5a6adb62f72.exe
Size

1.3MB
MD5

6156452c677dc54cb06f9681e267de77
SHA1

132f29614fb742aaaf1d0abfcf64fab038f950a2
SHA256

2103fe6b0cd70d1ed32bdd78b042b4e973eb3677da60cb288c62d5a6adb62f72
SHA512

6495f11ac7ed34a2aa1e6f2cc51ab836e5019c60636cf58fa1e103f7d83b88004c4bdb1b9644b5deb458e365d256cff0890a26668f87432f61df83453dd4f9be
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	364	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	3924	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	3924	schtasks.exe	28

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0001000000022e03-137.dat	dcrat
behavioral1/files/0x0001000000022e03-138.dat	dcrat
behavioral1/memory/3132-139-0x00000000008C0000-0x00000000009D0000-memory.dmp	dcrat
behavioral1/files/0x0001000000022e1c-227.dat	dcrat
behavioral1/files/0x0001000000022e1c-228.dat	dcrat
behavioral1/files/0x0001000000022e1c-235.dat	dcrat
behavioral1/files/0x0001000000022e1c-243.dat	dcrat
behavioral1/files/0x0001000000022e1c-250.dat	dcrat
behavioral1/files/0x0001000000022e1c-257.dat	dcrat
behavioral1/files/0x0001000000022e1c-264.dat	dcrat
behavioral1/files/0x0001000000022e1c-271.dat	dcrat

Executes dropped EXE 8 IoCs

pid	Process
3132	DllCommonsvc.exe
5992	upfc.exe
5712	upfc.exe
3920	upfc.exe
1944	upfc.exe
5776	upfc.exe
6064	upfc.exe
4640	upfc.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2103fe6b0cd70d1ed32bdd78b042b4e973eb3677da60cb288c62d5a6adb62f72.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	upfc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\SIGNUP\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\smss.exe	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\RemotePackages\RemoteDesktops\38384e6a620884	DllCommonsvc.exe
File created	C:\Windows\Globalization\Time Zone\System.exe	DllCommonsvc.exe
File created	C:\Windows\Globalization\Time Zone\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\AppReadiness\upfc.exe	DllCommonsvc.exe
File created	C:\Windows\AppReadiness\ea1d8f6d871115	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\SearchApp.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4412	schtasks.exe
4296	schtasks.exe
1472	schtasks.exe
1044	schtasks.exe
3260	schtasks.exe
2292	schtasks.exe
1580	schtasks.exe
4208	schtasks.exe
3440	schtasks.exe
2976	schtasks.exe
1236	schtasks.exe
5084	schtasks.exe
3136	schtasks.exe
756	schtasks.exe
4060	schtasks.exe
4796	schtasks.exe
4680	schtasks.exe
4936	schtasks.exe
3180	schtasks.exe
4644	schtasks.exe
4408	schtasks.exe
4640	schtasks.exe
4416	schtasks.exe
1736	schtasks.exe
3084	schtasks.exe
1772	schtasks.exe
3948	schtasks.exe
2072	schtasks.exe
4364	schtasks.exe
2276	schtasks.exe
1168	schtasks.exe
364	schtasks.exe
4368	schtasks.exe
3368	schtasks.exe
4916	schtasks.exe
2192	schtasks.exe
2200	schtasks.exe
3060	schtasks.exe
3564	schtasks.exe
5064	schtasks.exe
2188	schtasks.exe
2712	schtasks.exe
2500	schtasks.exe
8	schtasks.exe
2784	schtasks.exe
2120	schtasks.exe
2832	schtasks.exe
5100	schtasks.exe
4028	schtasks.exe
1488	schtasks.exe
1756	schtasks.exe
3568	schtasks.exe
4308	schtasks.exe
4284	schtasks.exe
4392	schtasks.exe
2528	schtasks.exe
1512	schtasks.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	2103fe6b0cd70d1ed32bdd78b042b4e973eb3677da60cb288c62d5a6adb62f72.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	upfc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3132	DllCommonsvc.exe
3132	DllCommonsvc.exe
3132	DllCommonsvc.exe
3132	DllCommonsvc.exe
3132	DllCommonsvc.exe
3132	DllCommonsvc.exe
3132	DllCommonsvc.exe
3132	DllCommonsvc.exe
3132	DllCommonsvc.exe
3132	DllCommonsvc.exe
3132	DllCommonsvc.exe
4744	powershell.exe
4744	powershell.exe
5112	powershell.exe
5112	powershell.exe
2816	powershell.exe
2816	powershell.exe
3000	powershell.exe
3000	powershell.exe
4828	powershell.exe
4828	powershell.exe
1548	powershell.exe
1548	powershell.exe
4048	powershell.exe
4048	powershell.exe
1476	powershell.exe
1476	powershell.exe
3652	powershell.exe
3652	powershell.exe
1084	powershell.exe
1084	powershell.exe
1580	powershell.exe
1580	powershell.exe
4844	powershell.exe
4844	powershell.exe
1912	powershell.exe
1912	powershell.exe
4208	powershell.exe
4208	powershell.exe
2872	powershell.exe
2872	powershell.exe
3060	powershell.exe
3060	powershell.exe
2244	powershell.exe
2244	powershell.exe
4752	powershell.exe
4752	powershell.exe
4544	powershell.exe
4544	powershell.exe
3000	powershell.exe
3000	powershell.exe
3048	powershell.exe
3048	powershell.exe
2816	powershell.exe
2816	powershell.exe
5112	powershell.exe
5112	powershell.exe
4744	powershell.exe
4744	powershell.exe
1548	powershell.exe
1548	powershell.exe
4828	powershell.exe
4828	powershell.exe
4048	powershell.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	3132	DllCommonsvc.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	5992	upfc.exe
Token: SeDebugPrivilege	5712	upfc.exe
Token: SeDebugPrivilege	3920	upfc.exe
Token: SeDebugPrivilege	1944	upfc.exe
Token: SeDebugPrivilege	5776	upfc.exe
Token: SeDebugPrivilege	6064	upfc.exe
Token: SeDebugPrivilege	4640	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 3780	400	2103fe6b0cd70d1ed32bdd78b042b4e973eb3677da60cb288c62d5a6adb62f72.exe	82
PID 400 wrote to memory of 3780	400	2103fe6b0cd70d1ed32bdd78b042b4e973eb3677da60cb288c62d5a6adb62f72.exe	82
PID 400 wrote to memory of 3780	400	2103fe6b0cd70d1ed32bdd78b042b4e973eb3677da60cb288c62d5a6adb62f72.exe	82
PID 3780 wrote to memory of 3464	3780	WScript.exe	86
PID 3780 wrote to memory of 3464	3780	WScript.exe	86
PID 3780 wrote to memory of 3464	3780	WScript.exe	86
PID 3464 wrote to memory of 3132	3464	cmd.exe	88
PID 3464 wrote to memory of 3132	3464	cmd.exe	88
PID 3132 wrote to memory of 2816	3132	DllCommonsvc.exe	147
PID 3132 wrote to memory of 2816	3132	DllCommonsvc.exe	147
PID 3132 wrote to memory of 5112	3132	DllCommonsvc.exe	187
PID 3132 wrote to memory of 5112	3132	DllCommonsvc.exe	187
PID 3132 wrote to memory of 4744	3132	DllCommonsvc.exe	149
PID 3132 wrote to memory of 4744	3132	DllCommonsvc.exe	149
PID 3132 wrote to memory of 3000	3132	DllCommonsvc.exe	150
PID 3132 wrote to memory of 3000	3132	DllCommonsvc.exe	150
PID 3132 wrote to memory of 1548	3132	DllCommonsvc.exe	185
PID 3132 wrote to memory of 1548	3132	DllCommonsvc.exe	185
PID 3132 wrote to memory of 4828	3132	DllCommonsvc.exe	152
PID 3132 wrote to memory of 4828	3132	DllCommonsvc.exe	152
PID 3132 wrote to memory of 4048	3132	DllCommonsvc.exe	153
PID 3132 wrote to memory of 4048	3132	DllCommonsvc.exe	153
PID 3132 wrote to memory of 1476	3132	DllCommonsvc.exe	171
PID 3132 wrote to memory of 1476	3132	DllCommonsvc.exe	171
PID 3132 wrote to memory of 1084	3132	DllCommonsvc.exe	156
PID 3132 wrote to memory of 1084	3132	DllCommonsvc.exe	156
PID 3132 wrote to memory of 3652	3132	DllCommonsvc.exe	157
PID 3132 wrote to memory of 3652	3132	DllCommonsvc.exe	157
PID 3132 wrote to memory of 4844	3132	DllCommonsvc.exe	168
PID 3132 wrote to memory of 4844	3132	DllCommonsvc.exe	168
PID 3132 wrote to memory of 1580	3132	DllCommonsvc.exe	161
PID 3132 wrote to memory of 1580	3132	DllCommonsvc.exe	161
PID 3132 wrote to memory of 1912	3132	DllCommonsvc.exe	167
PID 3132 wrote to memory of 1912	3132	DllCommonsvc.exe	167
PID 3132 wrote to memory of 4208	3132	DllCommonsvc.exe	162
PID 3132 wrote to memory of 4208	3132	DllCommonsvc.exe	162
PID 3132 wrote to memory of 2872	3132	DllCommonsvc.exe	165
PID 3132 wrote to memory of 2872	3132	DllCommonsvc.exe	165
PID 3132 wrote to memory of 3060	3132	DllCommonsvc.exe	182
PID 3132 wrote to memory of 3060	3132	DllCommonsvc.exe	182
PID 3132 wrote to memory of 4752	3132	DllCommonsvc.exe	173
PID 3132 wrote to memory of 4752	3132	DllCommonsvc.exe	173
PID 3132 wrote to memory of 2244	3132	DllCommonsvc.exe	176
PID 3132 wrote to memory of 2244	3132	DllCommonsvc.exe	176
PID 3132 wrote to memory of 3048	3132	DllCommonsvc.exe	177
PID 3132 wrote to memory of 3048	3132	DllCommonsvc.exe	177
PID 3132 wrote to memory of 4544	3132	DllCommonsvc.exe	178
PID 3132 wrote to memory of 4544	3132	DllCommonsvc.exe	178
PID 3132 wrote to memory of 5360	3132	DllCommonsvc.exe	189
PID 3132 wrote to memory of 5360	3132	DllCommonsvc.exe	189
PID 5360 wrote to memory of 1028	5360	cmd.exe	191
PID 5360 wrote to memory of 1028	5360	cmd.exe	191
PID 5360 wrote to memory of 5992	5360	cmd.exe	193
PID 5360 wrote to memory of 5992	5360	cmd.exe	193
PID 5992 wrote to memory of 4812	5992	upfc.exe	194
PID 5992 wrote to memory of 4812	5992	upfc.exe	194
PID 4812 wrote to memory of 2868	4812	cmd.exe	196
PID 4812 wrote to memory of 2868	4812	cmd.exe	196
PID 4812 wrote to memory of 5712	4812	cmd.exe	197
PID 4812 wrote to memory of 5712	4812	cmd.exe	197
PID 5712 wrote to memory of 5656	5712	upfc.exe	198
PID 5712 wrote to memory of 5656	5712	upfc.exe	198
PID 5656 wrote to memory of 3208	5656	cmd.exe	200
PID 5656 wrote to memory of 3208	5656	cmd.exe	200

C:\Users\Admin\AppData\Local\Temp\2103fe6b0cd70d1ed32bdd78b042b4e973eb3677da60cb288c62d5a6adb62f72.exe
"C:\Users\Admin\AppData\Local\Temp\2103fe6b0cd70d1ed32bdd78b042b4e973eb3677da60cb288c62d5a6adb62f72.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\Time Zone\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\StartMenuExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\upfc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\SppExtComObj.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\upfc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteDesktops\SearchApp.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\SIGNUP\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\SearchApp.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdqTVdLDgZ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5360
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1028
      - C:\Windows\AppReadiness\upfc.exe
        
        "C:\Windows\AppReadiness\upfc.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2868
        
        C:\Windows\AppReadiness\upfc.exe
        
        "C:\Windows\AppReadiness\upfc.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3208
        
        C:\Windows\AppReadiness\upfc.exe
        
        "C:\Windows\AppReadiness\upfc.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat"
        11⤵
        
        PID:4100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2700
        
        C:\Windows\AppReadiness\upfc.exe
        
        "C:\Windows\AppReadiness\upfc.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"
        13⤵
        
        PID:3664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4348
        
        C:\Windows\AppReadiness\upfc.exe
        
        "C:\Windows\AppReadiness\upfc.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"
        15⤵
        
        PID:1860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:5196
        
        C:\Windows\AppReadiness\upfc.exe
        
        "C:\Windows\AppReadiness\upfc.exe"
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat"
        17⤵
        
        PID:5268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:6032
        
        C:\Windows\AppReadiness\upfc.exe
        
        "C:\Windows\AppReadiness\upfc.exe"
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"
        19⤵
        
        PID:5292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\Time Zone\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Globalization\Time Zone\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Globalization\Time Zone\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\AppReadiness\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\AppReadiness\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Windows\AppReadiness\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Start Menu\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Start Menu\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\SIGNUP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\SIGNUP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteDesktops\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\RemotePackages\RemoteDesktops\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
101c3b86ef1c02c62b7d862c2a47363b

SHA1
3c5e8d309610e5ba41b6b9788bfb826e45864b46

SHA256
9174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c

SHA512
d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
101c3b86ef1c02c62b7d862c2a47363b

SHA1
3c5e8d309610e5ba41b6b9788bfb826e45864b46

SHA256
9174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c

SHA512
d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9611cc3fb39fedd4b0e81d90b044531c

SHA1
e35c10c1c1e29d44222114e0f72d58b3072880fd

SHA256
2090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec

SHA512
92cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9611cc3fb39fedd4b0e81d90b044531c

SHA1
e35c10c1c1e29d44222114e0f72d58b3072880fd

SHA256
2090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec

SHA512
92cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9611cc3fb39fedd4b0e81d90b044531c

SHA1
e35c10c1c1e29d44222114e0f72d58b3072880fd

SHA256
2090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec

SHA512
92cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c571f748f85a6794b16e8e8ef10687ab

SHA1
becf11b355e41d6a51f2d97053c4d5319ee9d179

SHA256
c21d26af506fe324d5d7245d317b5eb2786dd1f9b99d020f79622b1c1bf3f937

SHA512
61ffd7c2e4b4feff2a09d82beea627fc11742359995c2c0abce0214ccdfe8a86bd9dffcf6bf84560ffbe768e69fdefa1d144a0cfb5146408562e24656d1cfee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat

Filesize
197B

MD5
aa750fc67f1251769ba838b6932f6904

SHA1
d315ae49e240e82cd410f9e1445fbc221030b78e

SHA256
88aa368f520b742823ea5ca0a0bb28c57b886bb69c5241b943cf92002ee5b064

SHA512
821f4364a3787fdab7b3241a3244cd4808b744a53073d6b9c884a0231debc5fa43980ed5c3f8da6411d101ca5241ef387337e59cee6b1c87d982629de12a096e

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat

Filesize
197B

MD5
d1be2f92a48a1e8ca2c3d0a48842fc9d

SHA1
f850d536ce094945680b2e06058b82145e77da74

SHA256
e6e28ddb4fc436891d0df5c145f370d65bf06adf5f09ac8d4203abf8ce1e4566

SHA512
4ba486856c533a3b1c50234f9eb00b9eb6c03ef2d94ffed127b88dee6a36a67ef3701a37360dd2e56ff5cae8ee43490195c2caddf956e3a3171bb230d4dbdf1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XdqTVdLDgZ.bat

Filesize
197B

MD5
4d0a5ed57abaa5e76a75ef939fad608a

SHA1
300f8e86d1b54fd88c8e4f7d67489534530deaca

SHA256
9f2afe158a332535e497ff2ab90b9bc77edbb0883e0176c68682ca04095a3f32

SHA512
7e9b7b61a5b8d20de322894a6e51343d30034e750c540330be73213a6572e4c9e86795b92708d24b67786663429485647c0923b845873749fc09e2ebe41f3c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat

Filesize
197B

MD5
1747efac777435e87ead14f32547ccb3

SHA1
869aefdcb206bd52964977a908120f3b8cc84008

SHA256
ff9ab930e75941f539148905c73d840f48bdb33738cc258886c97f684419c134

SHA512
2b3ab6086aa90daf8f0f6d62b4cf28700151161ca40d3b4890f539a8e7e4ccf0566c3228fd67de05dac7d03234caebdf4332fc3cca054fa2ba1b595adae47766

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat

Filesize
197B

MD5
52c9f4353de00f0e1ec63c7507196565

SHA1
54e32304291bf3b722cdf1be0a495611dc4d32e3

SHA256
f5b031fb0db1d15772a3b894b2ba4f4208b33f3e9d54705beeab8be95f900861

SHA512
570a228562da153d42201825a716a930f8c444e6440e35391cc2cc1e7bb5ca697cb434bd1e73ac615ed1c2a809145638572a44e1a6eaa48ad4d3b63f4a14564a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat

Filesize
197B

MD5
bfb261f022af9bd78166ba1edacdaf03

SHA1
735fa6bcf77cac33a5f2eebb5eb3cc38f8c30f7c

SHA256
2bfbd6c1c78899eadd831713949982aba1a02c845ad1dc7af9658bbb082f44cd

SHA512
8ebce067bc1dc6d0f6f54b071b082134530bd8dd7b5da6f123525d800abcb652eab9585ea18104f1e474d98c2fe016910795c5ff9472c2b268a6840c59e8228a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat

Filesize
197B

MD5
40334e1d0cc7a8c54498debf746aed61

SHA1
33f993ff6482dd934b2bdc66d838d5f2486d90e8

SHA256
7dfb2889bc27f2acc1fc9f413af3d35f0c5404d29ef1fab8cedc0755ce15cfd3

SHA512
2c81e490c08c8b80a9ac48a387ce7a82d4a8391245ca5772e53db9f5feffa35fd1725e905c4680c09226eb22a5c7ba07b053d1e3b8d290b593ebdaf9efbe4c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat

Filesize
197B

MD5
21c1dbdf56e78ccc9070422ca1e3a1c7

SHA1
a84ee58a02c3a006da45b0628eec8e84fc5a55ff

SHA256
d29e3134769c63bab8319c4db2de5a4f44ed9f4ab099697de9cb7397324ed585

SHA512
0eed1ca17c8295b2a7eb046b994a0fd242d62852529e45d3b098a758a5c4dff5b7bb5a58344f66963734ee3a2ec4019a1ba573410766314a33e4d4415a027a2a

Download Submit
C:\Windows\AppReadiness\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppReadiness\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppReadiness\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppReadiness\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppReadiness\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppReadiness\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppReadiness\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\AppReadiness\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1084-168-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1084-205-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1476-167-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1476-206-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1548-200-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1548-161-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1580-209-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1580-169-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1912-213-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1912-170-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1944-255-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1944-251-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2244-221-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2244-172-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2816-191-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2816-174-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2872-216-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2872-180-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3000-188-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3000-159-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3048-183-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3048-224-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3060-181-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3060-225-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3132-139-0x00000000008C0000-0x00000000009D0000-memory.dmp

Filesize
1.1MB

Download
memory/3132-140-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3132-173-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3652-176-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3652-202-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3920-248-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3920-244-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4048-203-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4048-165-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4208-178-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4208-212-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4544-184-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4544-222-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4640-272-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4640-276-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4744-192-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4744-155-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4744-160-0x0000022E88BF0000-0x0000022E88C12000-memory.dmp

Filesize
136KB

Download
memory/4752-220-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4752-182-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4828-175-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4828-196-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4844-215-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4844-177-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-152-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-193-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/5712-241-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/5712-237-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/5776-258-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/5776-262-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/5992-233-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/5992-229-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/6064-269-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/6064-265-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download