dcrat | 7a829de27620170b962c4d1d1f3e13427afc68bfd4d88042129edefb3d784e1f

Analysis

max time kernel
146s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01-11-2022 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a829de27620170b962c4d1d1f3e13427afc68bfd4d88042129edefb3d784e1f.exe
Size

1.3MB
MD5

cebc3094b597b014db9dead11fd2153a
SHA1

60ebf7e098d3d8de77661375f6671e47356fcb9e
SHA256

7a829de27620170b962c4d1d1f3e13427afc68bfd4d88042129edefb3d784e1f
SHA512

bfeb930bf2be0f049822c93e7707e4a9f86903a417673f906b268911d0b562f04622e1fb3aceded364292eb575d52068bceac1ea32c33ca9a47cd5bc260b42dd
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	424	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	500	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	312	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	68	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	4804	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	4804	schtasks.exe	70

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac18-282.dat	dcrat
behavioral1/files/0x000800000001ac18-283.dat	dcrat
behavioral1/memory/2752-284-0x0000000000100000-0x0000000000210000-memory.dmp	dcrat
behavioral1/files/0x000700000001ac32-367.dat	dcrat
behavioral1/files/0x000700000001ac32-366.dat	dcrat
behavioral1/files/0x000700000001ac32-964.dat	dcrat
behavioral1/files/0x000700000001ac32-970.dat	dcrat
behavioral1/files/0x000700000001ac32-976.dat	dcrat
behavioral1/files/0x000700000001ac32-982.dat	dcrat
behavioral1/files/0x000700000001ac32-988.dat	dcrat
behavioral1/files/0x000700000001ac32-994.dat	dcrat
behavioral1/files/0x000700000001ac32-1000.dat	dcrat
behavioral1/files/0x000700000001ac32-1006.dat	dcrat
behavioral1/files/0x000700000001ac32-1011.dat	dcrat

Executes dropped EXE 11 IoCs

pid	Process
2752	DllCommonsvc.exe
1176	csrss.exe
5684	csrss.exe
5448	csrss.exe
5456	csrss.exe
4948	csrss.exe
3204	csrss.exe
4892	csrss.exe
3836	csrss.exe
5520	csrss.exe
5016	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\CrashReports\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\SearchUI.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\it-IT\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\it-IT\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\dab4d89cac03ec	DllCommonsvc.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\e6c9b481da804f	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Web\4K\Wallpaper\Windows\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Web\4K\Wallpaper\Windows\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\GameBarPresenceWriter\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Windows\PLA\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\servicing\Sessions\sppsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3172	schtasks.exe
1176	schtasks.exe
3880	schtasks.exe
4540	schtasks.exe
2632	schtasks.exe
3284	schtasks.exe
2392	schtasks.exe
3780	schtasks.exe
5024	schtasks.exe
2384	schtasks.exe
2892	schtasks.exe
1420	schtasks.exe
5068	schtasks.exe
2072	schtasks.exe
4104	schtasks.exe
1572	schtasks.exe
1284	schtasks.exe
3304	schtasks.exe
2140	schtasks.exe
2472	schtasks.exe
4100	schtasks.exe
360	schtasks.exe
1672	schtasks.exe
3348	schtasks.exe
3300	schtasks.exe
1600	schtasks.exe
3296	schtasks.exe
2088	schtasks.exe
1960	schtasks.exe
3948	schtasks.exe
4940	schtasks.exe
1828	schtasks.exe
424	schtasks.exe
764	schtasks.exe
3340	schtasks.exe
2612	schtasks.exe
3816	schtasks.exe
5004	schtasks.exe
912	schtasks.exe
312	schtasks.exe
1328	schtasks.exe
1664	schtasks.exe
1784	schtasks.exe
3328	schtasks.exe
1020	schtasks.exe
1596	schtasks.exe
4984	schtasks.exe
4656	schtasks.exe
3320	schtasks.exe
2800	schtasks.exe
500	schtasks.exe
68	schtasks.exe
4968	schtasks.exe
3316	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	7a829de27620170b962c4d1d1f3e13427afc68bfd4d88042129edefb3d784e1f.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
3856	powershell.exe
3856	powershell.exe
4036	powershell.exe
4036	powershell.exe
3848	powershell.exe
3848	powershell.exe
1384	powershell.exe
1384	powershell.exe
4916	powershell.exe
4916	powershell.exe
3888	powershell.exe
3888	powershell.exe
2588	powershell.exe
2588	powershell.exe
4584	powershell.exe
4584	powershell.exe
4764	powershell.exe
4764	powershell.exe
432	powershell.exe
432	powershell.exe
432	powershell.exe
4824	powershell.exe
4824	powershell.exe
2900	powershell.exe
2900	powershell.exe
4064	powershell.exe
4064	powershell.exe
1496	powershell.exe
1496	powershell.exe
2588	powershell.exe
3640	powershell.exe
3640	powershell.exe
4288	powershell.exe
4288	powershell.exe
4288	powershell.exe
4772	powershell.exe
4772	powershell.exe
424	powershell.exe
424	powershell.exe
1176	csrss.exe
1176	csrss.exe
5044	powershell.exe
5044	powershell.exe
424	powershell.exe
3640	powershell.exe
3848	powershell.exe
432	powershell.exe
4772	powershell.exe
3888	powershell.exe
3856	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	DllCommonsvc.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1176	csrss.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeIncreaseQuotaPrivilege	432	powershell.exe
Token: SeSecurityPrivilege	432	powershell.exe
Token: SeTakeOwnershipPrivilege	432	powershell.exe
Token: SeLoadDriverPrivilege	432	powershell.exe
Token: SeSystemProfilePrivilege	432	powershell.exe
Token: SeSystemtimePrivilege	432	powershell.exe
Token: SeProfSingleProcessPrivilege	432	powershell.exe
Token: SeIncBasePriorityPrivilege	432	powershell.exe
Token: SeCreatePagefilePrivilege	432	powershell.exe
Token: SeBackupPrivilege	432	powershell.exe
Token: SeRestorePrivilege	432	powershell.exe
Token: SeShutdownPrivilege	432	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeSystemEnvironmentPrivilege	432	powershell.exe
Token: SeRemoteShutdownPrivilege	432	powershell.exe
Token: SeUndockPrivilege	432	powershell.exe
Token: SeManageVolumePrivilege	432	powershell.exe
Token: 33	432	powershell.exe
Token: 34	432	powershell.exe
Token: 35	432	powershell.exe
Token: 36	432	powershell.exe
Token: SeIncreaseQuotaPrivilege	2588	powershell.exe
Token: SeSecurityPrivilege	2588	powershell.exe
Token: SeTakeOwnershipPrivilege	2588	powershell.exe
Token: SeLoadDriverPrivilege	2588	powershell.exe
Token: SeSystemProfilePrivilege	2588	powershell.exe
Token: SeSystemtimePrivilege	2588	powershell.exe
Token: SeProfSingleProcessPrivilege	2588	powershell.exe
Token: SeIncBasePriorityPrivilege	2588	powershell.exe
Token: SeCreatePagefilePrivilege	2588	powershell.exe
Token: SeBackupPrivilege	2588	powershell.exe
Token: SeRestorePrivilege	2588	powershell.exe
Token: SeShutdownPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeSystemEnvironmentPrivilege	2588	powershell.exe
Token: SeRemoteShutdownPrivilege	2588	powershell.exe
Token: SeUndockPrivilege	2588	powershell.exe
Token: SeManageVolumePrivilege	2588	powershell.exe
Token: 33	2588	powershell.exe
Token: 34	2588	powershell.exe
Token: 35	2588	powershell.exe
Token: 36	2588	powershell.exe
Token: SeIncreaseQuotaPrivilege	4288	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 1488	4328	7a829de27620170b962c4d1d1f3e13427afc68bfd4d88042129edefb3d784e1f.exe	66
PID 4328 wrote to memory of 1488	4328	7a829de27620170b962c4d1d1f3e13427afc68bfd4d88042129edefb3d784e1f.exe	66
PID 4328 wrote to memory of 1488	4328	7a829de27620170b962c4d1d1f3e13427afc68bfd4d88042129edefb3d784e1f.exe	66
PID 1488 wrote to memory of 3136	1488	WScript.exe	67
PID 1488 wrote to memory of 3136	1488	WScript.exe	67
PID 1488 wrote to memory of 3136	1488	WScript.exe	67
PID 3136 wrote to memory of 2752	3136	cmd.exe	69
PID 3136 wrote to memory of 2752	3136	cmd.exe	69
PID 2752 wrote to memory of 3848	2752	DllCommonsvc.exe	125
PID 2752 wrote to memory of 3848	2752	DllCommonsvc.exe	125
PID 2752 wrote to memory of 3888	2752	DllCommonsvc.exe	128
PID 2752 wrote to memory of 3888	2752	DllCommonsvc.exe	128
PID 2752 wrote to memory of 3856	2752	DllCommonsvc.exe	127
PID 2752 wrote to memory of 3856	2752	DllCommonsvc.exe	127
PID 2752 wrote to memory of 4036	2752	DllCommonsvc.exe	129
PID 2752 wrote to memory of 4036	2752	DllCommonsvc.exe	129
PID 2752 wrote to memory of 4916	2752	DllCommonsvc.exe	137
PID 2752 wrote to memory of 4916	2752	DllCommonsvc.exe	137
PID 2752 wrote to memory of 1384	2752	DllCommonsvc.exe	131
PID 2752 wrote to memory of 1384	2752	DllCommonsvc.exe	131
PID 2752 wrote to memory of 432	2752	DllCommonsvc.exe	132
PID 2752 wrote to memory of 432	2752	DllCommonsvc.exe	132
PID 2752 wrote to memory of 4064	2752	DllCommonsvc.exe	133
PID 2752 wrote to memory of 4064	2752	DllCommonsvc.exe	133
PID 2752 wrote to memory of 4824	2752	DllCommonsvc.exe	139
PID 2752 wrote to memory of 4824	2752	DllCommonsvc.exe	139
PID 2752 wrote to memory of 2588	2752	DllCommonsvc.exe	140
PID 2752 wrote to memory of 2588	2752	DllCommonsvc.exe	140
PID 2752 wrote to memory of 4584	2752	DllCommonsvc.exe	141
PID 2752 wrote to memory of 4584	2752	DllCommonsvc.exe	141
PID 2752 wrote to memory of 4764	2752	DllCommonsvc.exe	142
PID 2752 wrote to memory of 4764	2752	DllCommonsvc.exe	142
PID 2752 wrote to memory of 2900	2752	DllCommonsvc.exe	143
PID 2752 wrote to memory of 2900	2752	DllCommonsvc.exe	143
PID 2752 wrote to memory of 1496	2752	DllCommonsvc.exe	145
PID 2752 wrote to memory of 1496	2752	DllCommonsvc.exe	145
PID 2752 wrote to memory of 4288	2752	DllCommonsvc.exe	149
PID 2752 wrote to memory of 4288	2752	DllCommonsvc.exe	149
PID 2752 wrote to memory of 5044	2752	DllCommonsvc.exe	154
PID 2752 wrote to memory of 5044	2752	DllCommonsvc.exe	154
PID 2752 wrote to memory of 4772	2752	DllCommonsvc.exe	155
PID 2752 wrote to memory of 4772	2752	DllCommonsvc.exe	155
PID 2752 wrote to memory of 3640	2752	DllCommonsvc.exe	156
PID 2752 wrote to memory of 3640	2752	DllCommonsvc.exe	156
PID 2752 wrote to memory of 424	2752	DllCommonsvc.exe	157
PID 2752 wrote to memory of 424	2752	DllCommonsvc.exe	157
PID 2752 wrote to memory of 1176	2752	DllCommonsvc.exe	163
PID 2752 wrote to memory of 1176	2752	DllCommonsvc.exe	163
PID 1176 wrote to memory of 5944	1176	csrss.exe	165
PID 1176 wrote to memory of 5944	1176	csrss.exe	165
PID 5944 wrote to memory of 5556	5944	cmd.exe	167
PID 5944 wrote to memory of 5556	5944	cmd.exe	167
PID 5944 wrote to memory of 5684	5944	cmd.exe	168
PID 5944 wrote to memory of 5684	5944	cmd.exe	168
PID 5684 wrote to memory of 5836	5684	csrss.exe	169
PID 5684 wrote to memory of 5836	5684	csrss.exe	169
PID 5836 wrote to memory of 5968	5836	cmd.exe	171
PID 5836 wrote to memory of 5968	5836	cmd.exe	171
PID 5836 wrote to memory of 5448	5836	cmd.exe	172
PID 5836 wrote to memory of 5448	5836	cmd.exe	172
PID 5448 wrote to memory of 5780	5448	csrss.exe	173
PID 5448 wrote to memory of 5780	5448	csrss.exe	173
PID 5780 wrote to memory of 3840	5780	cmd.exe	175
PID 5780 wrote to memory of 3840	5780	cmd.exe	175

C:\Users\Admin\AppData\Local\Temp\7a829de27620170b962c4d1d1f3e13427afc68bfd4d88042129edefb3d784e1f.exe
"C:\Users\Admin\AppData\Local\Temp\7a829de27620170b962c4d1d1f3e13427afc68bfd4d88042129edefb3d784e1f.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\4K\Wallpaper\Windows\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\msadc\ja-JP\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender Advanced Threat Protection\it-IT\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:424
    - - C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1176
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5556
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5968
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3840
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat"
        12⤵
        
        PID:984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4100
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat"
        14⤵
        
        PID:3992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1664
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat"
        16⤵
        
        PID:4936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4712
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Q74CISUeM.bat"
        18⤵
        
        PID:4924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2680
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
        20⤵
        
        PID:4240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:548
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat"
        22⤵
        
        PID:648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4192
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        23⤵
        Executes dropped EXE
        
        PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\providercommon\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\4K\Wallpaper\Windows\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Web\4K\Wallpaper\Windows\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\4K\Wallpaper\Windows\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\System\msadc\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\msadc\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\System\msadc\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\it-IT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\odt\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\odt\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Libraries\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:68

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PLA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\CrashReports\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e51a2ba949c1e9f05c459a9a9b27280b

SHA1
65af3cc40f3ee3590a3e024ac917d2fba84c08d1

SHA256
7392a59a7622cba1091bb38a59f9578f6c7d6aedb831b545d0e0136699174113

SHA512
e25b608ca72b8f2e685dd4590b9044c5b7364811ae8db28be77be98212af49bd29973a1a430d7c653c9e75620f932b1e4dbf69e94987be5196449aadcc2e2935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2936523aaa5a27fa03468c3086e3b95b

SHA1
56935841aa9847a0b34d635be4d4ef390e5913ae

SHA256
336968f6826a8abb218d90dd01ec5992e3fb58d272c7106dbe7c6c233a90b8ea

SHA512
4fd4492a511b761788bd4aa92c3c9d33c024d52f593cde5223fae52e4117fd5631eb4153b8ba9b5930e3d320378b630ff78fc4f441fe46c7234305a19dba66ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fa366de96c6a8b5fa476a522d53296c5

SHA1
327cb5c81735f30b5d41a8ed9b469aff827227e9

SHA256
84a1fa9bf57ff953b568802272747a3f8749678da78cd3b3ad3ae7a6d19caf22

SHA512
f93a42a1222f55c2f5456f9577d6bb88442ce12897025a0e72665a39eaa303679d9417e7f0269f07433d1b62edca52c8c9d554c630f56c31cfb7596638e44c6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c2e13056a0f0262d11c4add6f9cbf568

SHA1
82e14f5fa39b4ec5b039962491e518d93753a559

SHA256
8929550705d4e0bcb940b2cbc83fb19d7c730c8ed564daaa05f1905364a394ad

SHA512
468853c13ebc439e585e932acccc54024a57d7743b3f71dce9e09cc0ce25156016e3559b2d4bae7920532c1cc52cbb0ea8b7c3d10a3857501ed38ba563f4ae9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b38b8d0c9ca4e44c31a9d3c01afea175

SHA1
265c5b045cfdf317412652b773307e0c9b82fb8e

SHA256
88797dd647607b3b6d6e8e8546f4d1774069c93789bb0ec2f3075971112ca6ec

SHA512
84b3b9636b11ec115445f56b671428c725d9a2da9f0c8d3a42c3fab0b6811bb9f6e9add4b741c138905024f4b8b07ae910cc906e839f97e586b6484da8837f14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b38b8d0c9ca4e44c31a9d3c01afea175

SHA1
265c5b045cfdf317412652b773307e0c9b82fb8e

SHA256
88797dd647607b3b6d6e8e8546f4d1774069c93789bb0ec2f3075971112ca6ec

SHA512
84b3b9636b11ec115445f56b671428c725d9a2da9f0c8d3a42c3fab0b6811bb9f6e9add4b741c138905024f4b8b07ae910cc906e839f97e586b6484da8837f14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
29586167b5b97375f95c48beda3d893d

SHA1
ad62876acabf3ddf84acf4a4bc1ec8fe4a801803

SHA256
70b7494915239737b50eff04ab08f0952ee61f27f9278a8c1c353ec729ac9630

SHA512
a268059056da1d2c71f44c29463ddb9d96c9608a6f10a123476c71ed27b169b402644afc7860f05380bebc7caa4d2e3cda7978e226fe5ba7fdf965b19f16ab85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
29586167b5b97375f95c48beda3d893d

SHA1
ad62876acabf3ddf84acf4a4bc1ec8fe4a801803

SHA256
70b7494915239737b50eff04ab08f0952ee61f27f9278a8c1c353ec729ac9630

SHA512
a268059056da1d2c71f44c29463ddb9d96c9608a6f10a123476c71ed27b169b402644afc7860f05380bebc7caa4d2e3cda7978e226fe5ba7fdf965b19f16ab85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b31fd864723a23a630f76ceeabaea0f0

SHA1
08d651e3203dea8718345cfe693683d4896be8b2

SHA256
c6ba4dc1c4dcb36b4bd2e258bae097e6e6b0ba5c1201c8c62aaaf4019bc9d60b

SHA512
8d09dcf7bd0bf74fed1dc93f15a2da23fbb124ffe01dc3cc0541f1d989c288ef7bf5a91326c46949cbd6bb21c63f2102013c43242ba091f579698794b851e5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b31fd864723a23a630f76ceeabaea0f0

SHA1
08d651e3203dea8718345cfe693683d4896be8b2

SHA256
c6ba4dc1c4dcb36b4bd2e258bae097e6e6b0ba5c1201c8c62aaaf4019bc9d60b

SHA512
8d09dcf7bd0bf74fed1dc93f15a2da23fbb124ffe01dc3cc0541f1d989c288ef7bf5a91326c46949cbd6bb21c63f2102013c43242ba091f579698794b851e5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5492314bedb1ad1583f8cc5e71bcddfe

SHA1
3ac19bfb2a6ec55d4dc6888c314ac508537829ba

SHA256
add9e3cb9283177f8a86d00521873da2fbd8f804b44c0ca285a3d937c6669060

SHA512
26683dd433a86ae24827b2e8402373833219ed49fb890525d382f142bc30c137d84d3ffde8a6e5c9a7f05a30ff1509d4312bca3fc441e9f868d9878caa2bd947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5492314bedb1ad1583f8cc5e71bcddfe

SHA1
3ac19bfb2a6ec55d4dc6888c314ac508537829ba

SHA256
add9e3cb9283177f8a86d00521873da2fbd8f804b44c0ca285a3d937c6669060

SHA512
26683dd433a86ae24827b2e8402373833219ed49fb890525d382f142bc30c137d84d3ffde8a6e5c9a7f05a30ff1509d4312bca3fc441e9f868d9878caa2bd947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2db4579f53ec4a4c0b52024d9695ad56

SHA1
7555bac394fb950934c636bbd63e96f33a9dc0fa

SHA256
376f9d2d663912a05b511b506f1343f76d9c03edff869bf79249dd363b52b05f

SHA512
f135afffb00a51efe9c52bf91cab569a78657c52acd96fae9bfa50067bac2e0636b71fa99225741608431e0d2c27763a7a8bc7fa300469fdf0b470e0727b7607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2db4579f53ec4a4c0b52024d9695ad56

SHA1
7555bac394fb950934c636bbd63e96f33a9dc0fa

SHA256
376f9d2d663912a05b511b506f1343f76d9c03edff869bf79249dd363b52b05f

SHA512
f135afffb00a51efe9c52bf91cab569a78657c52acd96fae9bfa50067bac2e0636b71fa99225741608431e0d2c27763a7a8bc7fa300469fdf0b470e0727b7607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
99633b1e88a7c3f11295cd7a142a941d

SHA1
c744d0a6fa113c7e004f9b9355605969593fe14a

SHA256
f1944009f1361432996f381fc8ed615075cdd9ae8b54ce6944e6d20bcbd61fab

SHA512
9933441f81bf8faeb1f0e220d30230cc7180c046f0e726eb826daf86dc92f5d29fd0993764e6b19e925ed5bf02dd129429d9ae49a7642bb7a4ce58f49693d9dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
99633b1e88a7c3f11295cd7a142a941d

SHA1
c744d0a6fa113c7e004f9b9355605969593fe14a

SHA256
f1944009f1361432996f381fc8ed615075cdd9ae8b54ce6944e6d20bcbd61fab

SHA512
9933441f81bf8faeb1f0e220d30230cc7180c046f0e726eb826daf86dc92f5d29fd0993764e6b19e925ed5bf02dd129429d9ae49a7642bb7a4ce58f49693d9dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4a88fa04071dcd1dd10cb01d22d78aac

SHA1
177a95a2d75d7f1f6104609346cc284192de38a0

SHA256
cecf944ddf46931ec08293a72ede6505aa6b9fd6b0de83cc148e58ed2e784f08

SHA512
06273ed4463710c72f527ac780552fad3af3fba7fd6e7f961543012d60538d37b440f19aedfd1ee21338ef71b9ac1fab829bf291893d7067dc7d42ba9fade0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Q74CISUeM.bat

Filesize
192B

MD5
c5e7c20006869ea8c6b6db689013bea9

SHA1
68e77f4b55d5788bcf015f5ec0e3fedf23982f30

SHA256
ecce6e9da8e558e4f370cf4214456bdda68e227f197c8d6fd8b56a738d26ee75

SHA512
7a96c28541bea710c9dd6efea721520c86d6b663bcfd667d3ba2f8fe7f3ef4b3b771d616e4414dcfaba598227b1c1542f9198f3f278cbc0689793e7ffb049db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

Filesize
192B

MD5
5121037ea44970319dde8c720aa55834

SHA1
f316cf4f782b49014ab7fa4f1f166cf90e97a7e9

SHA256
b8091c55ffcbdc33c548c072a9a193d0baef47ca051a5413b0349a4b7e5c0944

SHA512
6033208ee0e1e7008a70ac5c59d1e1ed94cba999b099ffba3b371abf06b9bf9142c5dfeb282658ac3e788b7ed65572fb217a8ec385a8d0fc5bf0d10240272cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat

Filesize
192B

MD5
ff7b97137ca8835df08d0226604766bc

SHA1
196642c92635b52a9668bd3ac20b531b88ee543e

SHA256
b4e1fa4d62bb3a512a4f0f4c5f72401dce6757d6a28822f4c269166417af2b61

SHA512
f74d96f3a7b6835d55a32faea274370590fc8e9de6b4dd3411a31229aed64b459809bd0837fdfbd6da43849da605e688a6c9f7a54c1e70bd83285d4846e6ce6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat

Filesize
192B

MD5
17ee16e3a8859b9e7832f61dd3147ddf

SHA1
2714b484a7a383bc55c34eaf4188662bf298af1d

SHA256
62761a9ca31d3e4aa6022bc8973f6d17959c497b1c4cf92939e5a1d46e7d6c04

SHA512
d13af61973ed480ab80282f2a43efb95b205c16651ff5002170ba0b2f26034f4f6b008c18c70dfbc00c82a1a5e60ad9d640285ace64a465cc02c40d278e7cc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat

Filesize
192B

MD5
da7f44da57346e8c0e887a46783bd14e

SHA1
266aef675c3134fbc279c76f301a3593f476c664

SHA256
66d2ec76d65e8c81658ced057abe35e0af866588cc0abb124fd22c1d8b0671b6

SHA512
3d8833ed7218612b34b05bdffff04a768e982b47abafb68c23229229354abef98d9535020eccf93b70beeb59a4a884eb4439b4912ee335277a25a622170b28bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat

Filesize
192B

MD5
68d1260e650c6464dc4bbdc2e8c3e10f

SHA1
b8d5bd8e57eebd9c0ff1f32388de8540e3f09df2

SHA256
9a6d31d5734d245a3dda38b16f721dc70d395c26156f08e7f7746bceee361eeb

SHA512
6f7b10a3d78b03e267a9044d4ed021c9a8fc3bce277bfb21078e82e5bd9cbebe56cd34ab52b07457dd819a76a6da35d0f5f137c67562c6b18bd363721d6e412f

Download Submit
C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat

Filesize
192B

MD5
6af19ecbee3cc18dc57a00a1ae5c844f

SHA1
fb326739b20d4f5997a57b40188ca2b4902e93fd

SHA256
f0b31c270600d281bdb3b7e7e8f5cd6addef61233c0a9220d044f14a656ebfd6

SHA512
0e3a9a9512286bb747fa27dbca1becb4921cd620770c946bf3e6080df446f4baa9e50ac65e920a554f78c038888b9d2d5d8c13bdb39cc06530bb246ab0da7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat

Filesize
192B

MD5
0ea80c1045ac889caddf0aa4ae1801c0

SHA1
1ee5baed16a270db9fb1376339800fc8a5fd62b4

SHA256
b993568b7805dc7b6316579f7962d5d7ac35575e5d8f337aeb3c878e5ddd0463

SHA512
f1693a56dbcb9236d31eedfbfe2a5d033a5a397769d414c021ec7c512460fea1abc61d5ff09a5868c257aa72de03f6edb9fa293df895a802967599cb87853383

Download Submit
C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat

Filesize
192B

MD5
e243fb0e33e948c2e8057d755b7fa153

SHA1
c21627ae5e013a4148113c551e2519706b65ebde

SHA256
191b711890f9d463a98d85ad4652e853e3ebf21a87106c6fa226c16014518e0c

SHA512
7edc7962216a8f33f8b35f39ef2990a00a6fe3621b8cc28abcbe5282ad7b415e70952bef0bf835612b8e5415a0d8b36474736bb3a7936ec4f8ae58f0e3ecd55c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/424-339-0x0000000000000000-mapping.dmp

Download
memory/432-391-0x000001CF76E80000-0x000001CF76EF6000-memory.dmp

Filesize
472KB

Download
memory/432-295-0x0000000000000000-mapping.dmp

Download
memory/548-1004-0x0000000000000000-mapping.dmp

Download
memory/648-1007-0x0000000000000000-mapping.dmp

Download
memory/984-978-0x0000000000000000-mapping.dmp

Download
memory/1176-357-0x0000000000000000-mapping.dmp

Download
memory/1176-388-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/1384-294-0x0000000000000000-mapping.dmp

Download
memory/1488-183-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1488-182-0x0000000000000000-mapping.dmp

Download
memory/1488-184-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-313-0x0000000000000000-mapping.dmp

Download
memory/1664-986-0x0000000000000000-mapping.dmp

Download
memory/2588-300-0x0000000000000000-mapping.dmp

Download
memory/2680-998-0x0000000000000000-mapping.dmp

Download
memory/2752-288-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/2752-281-0x0000000000000000-mapping.dmp

Download
memory/2752-287-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download
memory/2752-286-0x0000000000740000-0x000000000074C000-memory.dmp

Filesize
48KB

Download
memory/2752-285-0x0000000000730000-0x0000000000742000-memory.dmp

Filesize
72KB

Download
memory/2752-284-0x0000000000100000-0x0000000000210000-memory.dmp

Filesize
1.1MB

Download
memory/2900-309-0x0000000000000000-mapping.dmp

Download
memory/3136-258-0x0000000000000000-mapping.dmp

Download
memory/3204-987-0x0000000000000000-mapping.dmp

Download
memory/3204-989-0x0000000001480000-0x0000000001492000-memory.dmp

Filesize
72KB

Download
memory/3640-335-0x0000000000000000-mapping.dmp

Download
memory/3836-999-0x0000000000000000-mapping.dmp

Download
memory/3836-1001-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/3840-974-0x0000000000000000-mapping.dmp

Download
memory/3848-289-0x0000000000000000-mapping.dmp

Download
memory/3848-373-0x0000019CCD140000-0x0000019CCD162000-memory.dmp

Filesize
136KB

Download
memory/3856-291-0x0000000000000000-mapping.dmp

Download
memory/3888-290-0x0000000000000000-mapping.dmp

Download
memory/3992-984-0x0000000000000000-mapping.dmp

Download
memory/4036-292-0x0000000000000000-mapping.dmp

Download
memory/4064-296-0x0000000000000000-mapping.dmp

Download
memory/4100-980-0x0000000000000000-mapping.dmp

Download
memory/4192-1009-0x0000000000000000-mapping.dmp

Download
memory/4240-1002-0x0000000000000000-mapping.dmp

Download
memory/4288-319-0x0000000000000000-mapping.dmp

Download
memory/4328-163-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-149-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-119-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-120-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-121-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-181-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-180-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-179-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-124-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-123-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-178-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-177-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-176-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-175-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-174-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-173-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-126-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-172-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-127-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-169-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-171-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-170-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-168-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-167-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-166-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-165-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-164-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-118-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-162-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-161-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-160-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-159-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-158-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-157-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-156-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-155-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-154-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-153-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-128-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-152-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-150-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-129-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-151-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-130-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-131-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-132-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-133-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-134-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-148-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-147-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-135-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-146-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-136-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-145-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-144-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-143-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-138-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-142-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-137-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-141-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-140-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-139-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4584-303-0x0000000000000000-mapping.dmp

Download
memory/4712-992-0x0000000000000000-mapping.dmp

Download
memory/4764-305-0x0000000000000000-mapping.dmp

Download
memory/4772-329-0x0000000000000000-mapping.dmp

Download
memory/4824-298-0x0000000000000000-mapping.dmp

Download
memory/4892-993-0x0000000000000000-mapping.dmp

Download
memory/4892-995-0x0000000000810000-0x0000000000822000-memory.dmp

Filesize
72KB

Download
memory/4916-293-0x0000000000000000-mapping.dmp

Download
memory/4924-996-0x0000000000000000-mapping.dmp

Download
memory/4936-990-0x0000000000000000-mapping.dmp

Download
memory/4948-981-0x0000000000000000-mapping.dmp

Download
memory/4948-983-0x0000000000EF0000-0x0000000000F02000-memory.dmp

Filesize
72KB

Download
memory/5016-1012-0x00000000009B0000-0x00000000009C2000-memory.dmp

Filesize
72KB

Download
memory/5016-1010-0x0000000000000000-mapping.dmp

Download
memory/5044-324-0x0000000000000000-mapping.dmp

Download
memory/5448-969-0x0000000000000000-mapping.dmp

Download
memory/5448-971-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/5456-977-0x0000000000AF0000-0x0000000000B02000-memory.dmp

Filesize
72KB

Download
memory/5456-975-0x0000000000000000-mapping.dmp

Download
memory/5520-1005-0x0000000000000000-mapping.dmp

Download
memory/5556-863-0x0000000000000000-mapping.dmp

Download
memory/5684-963-0x0000000000000000-mapping.dmp

Download
memory/5780-972-0x0000000000000000-mapping.dmp

Download
memory/5836-966-0x0000000000000000-mapping.dmp

Download
memory/5944-684-0x0000000000000000-mapping.dmp

Download
memory/5968-968-0x0000000000000000-mapping.dmp

Download