dcrat | b5847205f77ea9c265953584049169e4412867927ff40284cb3a4c78e8a3e9f4

Analysis

max time kernel
150s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5847205f77ea9c265953584049169e4412867927ff40284cb3a4c78e8a3e9f4.exe
Size

1.3MB
MD5

f3bb0cd30ed221d164c9e0ae7ed3e528
SHA1

da7169b63d0e5eedd9fd2b1b6d18ccd97443db29
SHA256

b5847205f77ea9c265953584049169e4412867927ff40284cb3a4c78e8a3e9f4
SHA512

5949b59cf81216be3608bc6a490744ae7c4d287dd79b7656d27a386550cfbee371560dc982847457f3a802eabcc6b72b6a8df2ef44fe4ac63a4e8923d6188ed8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	500	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	188	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	3328	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	3328	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac1c-279.dat	dcrat
behavioral1/files/0x000800000001ac1c-280.dat	dcrat
behavioral1/memory/1148-281-0x00000000008B0000-0x00000000009C0000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac46-750.dat	dcrat
behavioral1/files/0x000600000001ac46-751.dat	dcrat
behavioral1/files/0x000600000001ac46-823.dat	dcrat
behavioral1/files/0x000600000001ac46-829.dat	dcrat
behavioral1/files/0x000600000001ac46-835.dat	dcrat
behavioral1/files/0x000600000001ac46-841.dat	dcrat
behavioral1/files/0x000600000001ac46-846.dat	dcrat
behavioral1/files/0x000600000001ac46-851.dat	dcrat
behavioral1/files/0x000600000001ac46-856.dat	dcrat
behavioral1/files/0x000600000001ac46-862.dat	dcrat
behavioral1/files/0x000600000001ac46-867.dat	dcrat
behavioral1/files/0x000600000001ac46-872.dat	dcrat
behavioral1/files/0x000600000001ac46-878.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
1148	DllCommonsvc.exe
2308	cmd.exe
732	cmd.exe
4492	cmd.exe
216	cmd.exe
4980	cmd.exe
1988	cmd.exe
4164	cmd.exe
4640	cmd.exe
2532	cmd.exe
304	cmd.exe
4472	cmd.exe
584	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\9e8d7a4ca61bd9	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1476	schtasks.exe
216	schtasks.exe
3724	schtasks.exe
4508	schtasks.exe
4500	schtasks.exe
4444	schtasks.exe
1172	schtasks.exe
1124	schtasks.exe
1880	schtasks.exe
3112	schtasks.exe
2244	schtasks.exe
5032	schtasks.exe
3204	schtasks.exe
4680	schtasks.exe
1060	schtasks.exe
188	schtasks.exe
4668	schtasks.exe
3608	schtasks.exe
5028	schtasks.exe
4060	schtasks.exe
5076	schtasks.exe
584	schtasks.exe
516	schtasks.exe
416	schtasks.exe
692	schtasks.exe
4416	schtasks.exe
3016	schtasks.exe
3876	schtasks.exe
4452	schtasks.exe
3312	schtasks.exe
4576	schtasks.exe
4552	schtasks.exe
1344	schtasks.exe
1352	schtasks.exe
2300	schtasks.exe
4340	schtasks.exe
1708	schtasks.exe
948	schtasks.exe
1348	schtasks.exe
2224	schtasks.exe
4948	schtasks.exe
500	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	b5847205f77ea9c265953584049169e4412867927ff40284cb3a4c78e8a3e9f4.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1148	DllCommonsvc.exe
1148	DllCommonsvc.exe
1148	DllCommonsvc.exe
1148	DllCommonsvc.exe
1148	DllCommonsvc.exe
4912	powershell.exe
4912	powershell.exe
768	powershell.exe
768	powershell.exe
812	powershell.exe
812	powershell.exe
2824	powershell.exe
2824	powershell.exe
640	powershell.exe
640	powershell.exe
2272	powershell.exe
2272	powershell.exe
2436	powershell.exe
2436	powershell.exe
2652	powershell.exe
2652	powershell.exe
3968	powershell.exe
3968	powershell.exe
3768	powershell.exe
3768	powershell.exe
1464	powershell.exe
1464	powershell.exe
812	powershell.exe
4740	powershell.exe
4740	powershell.exe
2804	powershell.exe
2804	powershell.exe
4856	powershell.exe
4856	powershell.exe
4740	powershell.exe
2652	powershell.exe
3768	powershell.exe
1464	powershell.exe
944	powershell.exe
944	powershell.exe
2824	powershell.exe
812	powershell.exe
4912	powershell.exe
768	powershell.exe
2652	powershell.exe
640	powershell.exe
2272	powershell.exe
3968	powershell.exe
2436	powershell.exe
2804	powershell.exe
4856	powershell.exe
944	powershell.exe
4740	powershell.exe
1464	powershell.exe
3768	powershell.exe
2824	powershell.exe
2824	powershell.exe
4912	powershell.exe
4912	powershell.exe
768	powershell.exe
768	powershell.exe
640	powershell.exe
640	powershell.exe
3968	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	DllCommonsvc.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeIncreaseQuotaPrivilege	812	powershell.exe
Token: SeSecurityPrivilege	812	powershell.exe
Token: SeTakeOwnershipPrivilege	812	powershell.exe
Token: SeLoadDriverPrivilege	812	powershell.exe
Token: SeSystemProfilePrivilege	812	powershell.exe
Token: SeSystemtimePrivilege	812	powershell.exe
Token: SeProfSingleProcessPrivilege	812	powershell.exe
Token: SeIncBasePriorityPrivilege	812	powershell.exe
Token: SeCreatePagefilePrivilege	812	powershell.exe
Token: SeBackupPrivilege	812	powershell.exe
Token: SeRestorePrivilege	812	powershell.exe
Token: SeShutdownPrivilege	812	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeSystemEnvironmentPrivilege	812	powershell.exe
Token: SeRemoteShutdownPrivilege	812	powershell.exe
Token: SeUndockPrivilege	812	powershell.exe
Token: SeManageVolumePrivilege	812	powershell.exe
Token: 33	812	powershell.exe
Token: 34	812	powershell.exe
Token: 35	812	powershell.exe
Token: 36	812	powershell.exe
Token: SeIncreaseQuotaPrivilege	2652	powershell.exe
Token: SeSecurityPrivilege	2652	powershell.exe
Token: SeTakeOwnershipPrivilege	2652	powershell.exe
Token: SeLoadDriverPrivilege	2652	powershell.exe
Token: SeSystemProfilePrivilege	2652	powershell.exe
Token: SeSystemtimePrivilege	2652	powershell.exe
Token: SeProfSingleProcessPrivilege	2652	powershell.exe
Token: SeIncBasePriorityPrivilege	2652	powershell.exe
Token: SeCreatePagefilePrivilege	2652	powershell.exe
Token: SeBackupPrivilege	2652	powershell.exe
Token: SeRestorePrivilege	2652	powershell.exe
Token: SeShutdownPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeSystemEnvironmentPrivilege	2652	powershell.exe
Token: SeRemoteShutdownPrivilege	2652	powershell.exe
Token: SeUndockPrivilege	2652	powershell.exe
Token: SeManageVolumePrivilege	2652	powershell.exe
Token: 33	2652	powershell.exe
Token: 34	2652	powershell.exe
Token: 35	2652	powershell.exe
Token: 36	2652	powershell.exe
Token: SeIncreaseQuotaPrivilege	4740	powershell.exe
Token: SeSecurityPrivilege	4740	powershell.exe
Token: SeTakeOwnershipPrivilege	4740	powershell.exe
Token: SeLoadDriverPrivilege	4740	powershell.exe
Token: SeSystemProfilePrivilege	4740	powershell.exe
Token: SeSystemtimePrivilege	4740	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 4848	2804	b5847205f77ea9c265953584049169e4412867927ff40284cb3a4c78e8a3e9f4.exe	66
PID 2804 wrote to memory of 4848	2804	b5847205f77ea9c265953584049169e4412867927ff40284cb3a4c78e8a3e9f4.exe	66
PID 2804 wrote to memory of 4848	2804	b5847205f77ea9c265953584049169e4412867927ff40284cb3a4c78e8a3e9f4.exe	66
PID 4848 wrote to memory of 3360	4848	WScript.exe	67
PID 4848 wrote to memory of 3360	4848	WScript.exe	67
PID 4848 wrote to memory of 3360	4848	WScript.exe	67
PID 3360 wrote to memory of 1148	3360	cmd.exe	69
PID 3360 wrote to memory of 1148	3360	cmd.exe	69
PID 1148 wrote to memory of 4912	1148	DllCommonsvc.exe	113
PID 1148 wrote to memory of 4912	1148	DllCommonsvc.exe	113
PID 1148 wrote to memory of 768	1148	DllCommonsvc.exe	115
PID 1148 wrote to memory of 768	1148	DllCommonsvc.exe	115
PID 1148 wrote to memory of 812	1148	DllCommonsvc.exe	116
PID 1148 wrote to memory of 812	1148	DllCommonsvc.exe	116
PID 1148 wrote to memory of 640	1148	DllCommonsvc.exe	117
PID 1148 wrote to memory of 640	1148	DllCommonsvc.exe	117
PID 1148 wrote to memory of 2272	1148	DllCommonsvc.exe	119
PID 1148 wrote to memory of 2272	1148	DllCommonsvc.exe	119
PID 1148 wrote to memory of 2824	1148	DllCommonsvc.exe	120
PID 1148 wrote to memory of 2824	1148	DllCommonsvc.exe	120
PID 1148 wrote to memory of 2652	1148	DllCommonsvc.exe	123
PID 1148 wrote to memory of 2652	1148	DllCommonsvc.exe	123
PID 1148 wrote to memory of 2436	1148	DllCommonsvc.exe	142
PID 1148 wrote to memory of 2436	1148	DllCommonsvc.exe	142
PID 1148 wrote to memory of 3968	1148	DllCommonsvc.exe	140
PID 1148 wrote to memory of 3968	1148	DllCommonsvc.exe	140
PID 1148 wrote to memory of 3768	1148	DllCommonsvc.exe	124
PID 1148 wrote to memory of 3768	1148	DllCommonsvc.exe	124
PID 1148 wrote to memory of 1464	1148	DllCommonsvc.exe	137
PID 1148 wrote to memory of 1464	1148	DllCommonsvc.exe	137
PID 1148 wrote to memory of 4740	1148	DllCommonsvc.exe	128
PID 1148 wrote to memory of 4740	1148	DllCommonsvc.exe	128
PID 1148 wrote to memory of 4856	1148	DllCommonsvc.exe	126
PID 1148 wrote to memory of 4856	1148	DllCommonsvc.exe	126
PID 1148 wrote to memory of 2804	1148	DllCommonsvc.exe	129
PID 1148 wrote to memory of 2804	1148	DllCommonsvc.exe	129
PID 1148 wrote to memory of 944	1148	DllCommonsvc.exe	133
PID 1148 wrote to memory of 944	1148	DllCommonsvc.exe	133
PID 1148 wrote to memory of 4060	1148	DllCommonsvc.exe	134
PID 1148 wrote to memory of 4060	1148	DllCommonsvc.exe	134
PID 4060 wrote to memory of 4084	4060	cmd.exe	145
PID 4060 wrote to memory of 4084	4060	cmd.exe	145
PID 4060 wrote to memory of 2308	4060	cmd.exe	147
PID 4060 wrote to memory of 2308	4060	cmd.exe	147
PID 2308 wrote to memory of 4680	2308	cmd.exe	148
PID 2308 wrote to memory of 4680	2308	cmd.exe	148
PID 4680 wrote to memory of 4796	4680	cmd.exe	150
PID 4680 wrote to memory of 4796	4680	cmd.exe	150
PID 4680 wrote to memory of 732	4680	cmd.exe	151
PID 4680 wrote to memory of 732	4680	cmd.exe	151
PID 732 wrote to memory of 4516	732	cmd.exe	152
PID 732 wrote to memory of 4516	732	cmd.exe	152
PID 4516 wrote to memory of 4364	4516	cmd.exe	154
PID 4516 wrote to memory of 4364	4516	cmd.exe	154
PID 4516 wrote to memory of 4492	4516	cmd.exe	155
PID 4516 wrote to memory of 4492	4516	cmd.exe	155
PID 4492 wrote to memory of 4568	4492	cmd.exe	156
PID 4492 wrote to memory of 4568	4492	cmd.exe	156
PID 4568 wrote to memory of 1412	4568	cmd.exe	158
PID 4568 wrote to memory of 1412	4568	cmd.exe	158
PID 4568 wrote to memory of 216	4568	cmd.exe	159
PID 4568 wrote to memory of 216	4568	cmd.exe	159
PID 216 wrote to memory of 2136	216	cmd.exe	160
PID 216 wrote to memory of 2136	216	cmd.exe	160

C:\Users\Admin\AppData\Local\Temp\b5847205f77ea9c265953584049169e4412867927ff40284cb3a4c78e8a3e9f4.exe
"C:\Users\Admin\AppData\Local\Temp\b5847205f77ea9c265953584049169e4412867927ff40284cb3a4c78e8a3e9f4.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B42tQgZn9w.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4060
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4084
      - C:\Users\Default User\cmd.exe
        
        "C:\Users\Default User\cmd.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4796
        
        C:\Users\Default User\cmd.exe
        
        "C:\Users\Default User\cmd.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4364
        
        C:\Users\Default User\cmd.exe
        
        "C:\Users\Default User\cmd.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1412
        
        C:\Users\Default User\cmd.exe
        
        "C:\Users\Default User\cmd.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat"
        13⤵
        
        PID:2136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4892
        
        C:\Users\Default User\cmd.exe
        
        "C:\Users\Default User\cmd.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"
        15⤵
        
        PID:4880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4664
        
        C:\Users\Default User\cmd.exe
        
        "C:\Users\Default User\cmd.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"
        17⤵
        
        PID:2412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3692
        
        C:\Users\Default User\cmd.exe
        
        "C:\Users\Default User\cmd.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
        19⤵
        
        PID:4384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2688
        
        C:\Users\Default User\cmd.exe
        
        "C:\Users\Default User\cmd.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat"
        21⤵
        
        PID:516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1700
        
        C:\Users\Default User\cmd.exe
        
        "C:\Users\Default User\cmd.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"
        23⤵
        
        PID:1044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:400
        
        C:\Users\Default User\cmd.exe
        
        "C:\Users\Default User\cmd.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat"
        25⤵
        
        PID:5072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1172
        
        C:\Users\Default User\cmd.exe
        
        "C:\Users\Default User\cmd.exe"
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"
        27⤵
        
        PID:4536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:3728
        
        C:\Users\Default User\cmd.exe
        
        "C:\Users\Default User\cmd.exe"
        28⤵
        Executes dropped EXE
        
        PID:584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\My Documents\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\providercommon\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\My Documents\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
234f76c51b1ad31a1cd29eb8ab57f61f

SHA1
5526c5286bfd62324e1aa7b5ae50c9b4b52668dd

SHA256
16167f84b62f8435b7522116e541872ca153c35e3f6e2d825661e340789be539

SHA512
8c27c9a4ff25792e7efb7739429d2e756da1884b4d136a47a50efc6a3069b83077597635b9bec7f6dfa914880aa2d0ad13136359c96829aced4dd6ae01387b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9682047fed70a8f8d5e2d3072d7abf57

SHA1
ea7d1ee130102f6b2beb37d9f70757a65f17e60d

SHA256
da169376ed4d1e5050c8805b1a7c709607303bda802dd7158f21cdb72b51feda

SHA512
9a14179a5e0a59d8b902741a42e54349406b9c2a141ab6e5cc3950c5a295668cc312cd1cd4ef804217c733f2a74ad91ec44bc1d78bb3fd4e8cc986e6e00f1fea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9682047fed70a8f8d5e2d3072d7abf57

SHA1
ea7d1ee130102f6b2beb37d9f70757a65f17e60d

SHA256
da169376ed4d1e5050c8805b1a7c709607303bda802dd7158f21cdb72b51feda

SHA512
9a14179a5e0a59d8b902741a42e54349406b9c2a141ab6e5cc3950c5a295668cc312cd1cd4ef804217c733f2a74ad91ec44bc1d78bb3fd4e8cc986e6e00f1fea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7a83884e92607096eeb7b156efed25cf

SHA1
d569110e5f427d9479cb30a8897517cd907eeb25

SHA256
5ee32261c31906237faf8d2a23b319fad628ecf023dfef5311de6f45e3a36c95

SHA512
e2ecdc677eda916005d3419988d14301a6f4b9fc0ed203d15c3b8fb6aee8e9bdcefab77b22519193f9b293099bae8cf0811fc59926859ec543c4720131100e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ebadb46be93a9d3ecbced44c558e4e5

SHA1
4d8d93271556587021ac76ae27669a9d877224d4

SHA256
9998c1e682b664e2c56f3ce1e9e0501fd5b40a5dbd3a7d721c246546ba0e2018

SHA512
6764488b10552ab2c57c10ce38845e6feb55a08efb081765af739df207600db11bab64f03fd565e2f8d287cf6e0c08baed389ddc473fdbd6ab5d31633accea28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ebadb46be93a9d3ecbced44c558e4e5

SHA1
4d8d93271556587021ac76ae27669a9d877224d4

SHA256
9998c1e682b664e2c56f3ce1e9e0501fd5b40a5dbd3a7d721c246546ba0e2018

SHA512
6764488b10552ab2c57c10ce38845e6feb55a08efb081765af739df207600db11bab64f03fd565e2f8d287cf6e0c08baed389ddc473fdbd6ab5d31633accea28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
84073ec07c7e2891e60cccb9e78fcee5

SHA1
f8b1a9e3138faced75c5e0c21dc34887f73e8094

SHA256
6fd7d36d392f1ba20e1f023d5d22db9d87b30e5514abc2b53f0646e033ac055f

SHA512
aecae934960e8bf89e3263113fa3c9a26639b6d19ea4468e26a061375beb51f576345fcde09cdbb4c2caa94bfae2274e86380b8344d89a04887c5048468ddad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
835ad5d7c9949de64f32063b36962df1

SHA1
e0e9166af1928563b961dddfa65d7c385c2111fe

SHA256
0e98ce9496e720c0a0c8650e6d3993142bd5280e3a49adb8a01763c8b2472dbc

SHA512
3e33a9959b6af8edf12d88d3f48519669623083775d9c0fc471e01df9cb99046023cb3afa237d9ce52391d0ba7d22211add30c57a6d3482660ca8c18f99159b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
835ad5d7c9949de64f32063b36962df1

SHA1
e0e9166af1928563b961dddfa65d7c385c2111fe

SHA256
0e98ce9496e720c0a0c8650e6d3993142bd5280e3a49adb8a01763c8b2472dbc

SHA512
3e33a9959b6af8edf12d88d3f48519669623083775d9c0fc471e01df9cb99046023cb3afa237d9ce52391d0ba7d22211add30c57a6d3482660ca8c18f99159b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e316e64c8a911ebd8cfdefe99aa4eaa

SHA1
5ed2cc538dcf150da6a3262d2439cf3fbf53b6af

SHA256
6e00484a705d112daf998f91f72c3feb13413f4c82a7f9f219bb471fd5d9c04f

SHA512
37a11b060e1007b65a99c447b09714d78d09d8ab9db4ad43e2ac8d7695b88252853f9d6bcd433972bb07ca20987bf0387838fd2377be2f45488a1ddd224fcf5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
11124e649486d5244c272b1d334f147d

SHA1
f85f6644065631649803d219687b1f2d1b178825

SHA256
31ee375fbc35b9c7add5b704133966ed2d23a13d988fe4d5cdb49bb40624669e

SHA512
6ab2452a3b383ad97463df23cb95bf5208de586ab5e5a60fe9d9f3c47324b49af6785e3acccfd134e08bad42da25eccdb9592cf92e336942ad8b6a384ab27102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
11124e649486d5244c272b1d334f147d

SHA1
f85f6644065631649803d219687b1f2d1b178825

SHA256
31ee375fbc35b9c7add5b704133966ed2d23a13d988fe4d5cdb49bb40624669e

SHA512
6ab2452a3b383ad97463df23cb95bf5208de586ab5e5a60fe9d9f3c47324b49af6785e3acccfd134e08bad42da25eccdb9592cf92e336942ad8b6a384ab27102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
11124e649486d5244c272b1d334f147d

SHA1
f85f6644065631649803d219687b1f2d1b178825

SHA256
31ee375fbc35b9c7add5b704133966ed2d23a13d988fe4d5cdb49bb40624669e

SHA512
6ab2452a3b383ad97463df23cb95bf5208de586ab5e5a60fe9d9f3c47324b49af6785e3acccfd134e08bad42da25eccdb9592cf92e336942ad8b6a384ab27102

Download Submit
C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat

Filesize
194B

MD5
7b3bc1c0581044983242b943e44e3ebb

SHA1
a43f9f16190ebda25aaa919e89791f9663972bdb

SHA256
7b4ff4ccb3303600f5c6ee3bb774bff51a500cbe0e031740f4d6ba7b3b250f6f

SHA512
5705bfbd55adddefb5c67568c1c9231d7ddac12a8aa6624fd885f9cd551dab24c03abe53104b41063911ebfc2da471fbb0b63750b59c38a92645fd73f05dca57

Download Submit
C:\Users\Admin\AppData\Local\Temp\B42tQgZn9w.bat

Filesize
194B

MD5
eed250820051a10531735e72467656d8

SHA1
bc443e0f82972107ee697f6a8d3cf8ce85dae66a

SHA256
d3d94476e2b0d1d4d5138f5e5dadb0939bac64d3da04da2d4d8effbea6be76ab

SHA512
36efea50318893f82e14f307517d81d8a66575329b9d9c1f3d9bbee36fe2a610aa6cbc91b0dd9b02d45c1f090f81dfa70e6af136bad5a2431082a44cd8058593

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat

Filesize
194B

MD5
3174b03629a10dcea1a4971a363f7520

SHA1
6b8a9f1cad5e7706b541576ff4a681e83ef22600

SHA256
b02b19adc27ffdeeee8d98f3c3fe9fd3070e17d3c4ce81adfd07d128a34ca069

SHA512
5d87d462c5c486a3c7c496bed8c5b2f32a2bf5d9da020425eb516fd5c12d85394d74c18c67fd44b577c0757ec902b0a3ef6929690cd9db971493ccf113aa2fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat

Filesize
194B

MD5
b2e85110d2ababb75f746e17d9288822

SHA1
437d9e2f040b401d5552885d60f90491fd77e61b

SHA256
39af089ba85ff8eeecb2e22c67fb466198f6e6a1f322340aa149a6214abb0fb5

SHA512
93ee30c69eca7de7ae2c086c0014d52fddcb5766ab8f14ca44322588d591abf7c21620655f5a2243807239a076a9441a804589eaf76b16ada9bc0657490d2c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat

Filesize
194B

MD5
e08cbeb73e980d72afde42b6d3d80e2b

SHA1
f1c5eb5c3fcb73fad1caf47a8b638a777f6f131f

SHA256
fac34326da32f384a386970b5f8485fbf1861132e1c2955454f8e3b39dd10e92

SHA512
716a5fb5f782c947c8a270d1add3523673a669bfe8299b7beb86e188b0cd87c87073bec6a42fdb4fcdb04643b3c88b9b57baf7652c850448b076297b276fd7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

Filesize
194B

MD5
2c00d16e9287a7f93508f74617c0e1bf

SHA1
8defc6ab4309cc554444b2cd1d6ce9cc2702580b

SHA256
761a9062fdf3d14d05a38301301815bd31bee567a88d5fa15e2101cbfd185ac8

SHA512
624ab58940f3c04363bb23dc0878bdac09175577b4e2cc2e562b96b62adf3988e546f7e5f44bdccddb815a27aed487f4d2309d22fafeb31ada113cc2eabee2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat

Filesize
194B

MD5
569e56a54e61f5d0cd8e119d31cfa110

SHA1
dd7936b491da6a19d16653fc04702b8f7aa7d54c

SHA256
6e5a286817614fba7b55b3031177314a0def7db933f4622aa02ac05e5e5e8eed

SHA512
c88f430e772c6f33561720bf351058eca01faea252c7a832eefb11dbec755149dcca5f6d62be8dfdd5e45729f439c54aa66b209e88d74d739363fbe95997f0aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat

Filesize
194B

MD5
bbc660dcb8b377bf3238c1a8370e3cb0

SHA1
b7435c449bb11df5dcd4e461cf1981b2265396d8

SHA256
b05081c2fabf2c3c7b774f1b51f720637f66d437c420ddf340c96d465a8449b6

SHA512
15626338eb82ff0c82df634bc6930063d645cf597004e6584a2ab808b5663f04a747c1d4831920addd5eae97a70f904ccefbe2d9aa59cd198651e0f2679107bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat

Filesize
194B

MD5
64c9050437516c8186bfa05fdb73df37

SHA1
997e594e25cd9922dfe8aa0919e114871b93c9e0

SHA256
696d9dfb02a7640326f729957963934658fb5c4f6d3a70667a1b91dade137efb

SHA512
c7e88aac83f5f38f0c584ce7869fdeeab138d88e1026cece8c2d9282ea2cd324a70c540d8870fc2b6d52207bee53edd38ed982be2b56553b4b62f06bd0030b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat

Filesize
194B

MD5
3b7b78b644a8931bf3b0a9e74464df7e

SHA1
6c6b8431cede8cc6f8c1cb9cde702e05e7f74d0f

SHA256
87ed03c98552dba3403d06015f933d0a559befe78d8246894b2229eee63e31f7

SHA512
81767f5481fbb60c5568097969f359adac079feedc96236b1359a1a3f057e8d0dbaa3e0210f159c584e5eda648332bee3bcd33337de3db0e1a251a21882f60db

Download Submit
C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat

Filesize
194B

MD5
3b7b78b644a8931bf3b0a9e74464df7e

SHA1
6c6b8431cede8cc6f8c1cb9cde702e05e7f74d0f

SHA256
87ed03c98552dba3403d06015f933d0a559befe78d8246894b2229eee63e31f7

SHA512
81767f5481fbb60c5568097969f359adac079feedc96236b1359a1a3f057e8d0dbaa3e0210f159c584e5eda648332bee3bcd33337de3db0e1a251a21882f60db

Download Submit
C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat

Filesize
194B

MD5
feb0f6ac06fd40d720c1be83345023a9

SHA1
2a5e77ff63ad91086fbc1919033628d927fb92ee

SHA256
d1029baeeb8ba05bb76bafb3e2c312abf23afb15f4974d16ed0ff496225d7b66

SHA512
d226ded07de8c0d0f09e7886326f8cb6793df0827cf2b6633cf52e6ff660a15467c2a9ec241b8a6f437b19fed1e4be6e694f31c5370b74166a0724c7b6bca28c

Download Submit
C:\Users\Default User\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Default\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/216-836-0x00000000012A0000-0x00000000012B2000-memory.dmp

Filesize
72KB

Download
memory/812-367-0x000001DEF95A0000-0x000001DEF9616000-memory.dmp

Filesize
472KB

Download
memory/1148-282-0x0000000002B20000-0x0000000002B32000-memory.dmp

Filesize
72KB

Download
memory/1148-285-0x0000000002B50000-0x0000000002B5C000-memory.dmp

Filesize
48KB

Download
memory/1148-284-0x0000000002B40000-0x0000000002B4C000-memory.dmp

Filesize
48KB

Download
memory/1148-283-0x0000000002B30000-0x0000000002B3C000-memory.dmp

Filesize
48KB

Download
memory/1148-281-0x00000000008B0000-0x00000000009C0000-memory.dmp

Filesize
1.1MB

Download
memory/2308-760-0x00000000020E0000-0x00000000020F2000-memory.dmp

Filesize
72KB

Download
memory/2804-160-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-134-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-116-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-117-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-118-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-120-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-121-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-123-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-124-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-125-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-126-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-127-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-178-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-177-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-128-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-176-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-175-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-129-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-174-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-173-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-172-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-171-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-170-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-169-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-168-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-167-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-165-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-166-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-164-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-163-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-162-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-161-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-115-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-159-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-157-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-158-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-130-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-156-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-131-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-155-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-154-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-153-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-133-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-152-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-132-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-135-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-151-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-136-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-137-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-150-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-149-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-147-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-148-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-146-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-145-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-144-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-138-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-139-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-143-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-140-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-142-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-141-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-354-0x000001FE186A0000-0x000001FE186C2000-memory.dmp

Filesize
136KB

Download
memory/4472-873-0x0000000000F50000-0x0000000000F62000-memory.dmp

Filesize
72KB

Download
memory/4492-830-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/4640-857-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/4848-180-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-181-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download