dcrat | bc2a2580b0ffce4c0a2ae3cb4686209ff2d921a5dc0c69106eaba2e1ff4be41f

Analysis

max time kernel
147s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01-11-2022 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc2a2580b0ffce4c0a2ae3cb4686209ff2d921a5dc0c69106eaba2e1ff4be41f.exe
Size

1.3MB
MD5

478984bd305e57d32dad042cbd58d018
SHA1

a1606233afa27dc545688dccdb1e79a8792379b6
SHA256

bc2a2580b0ffce4c0a2ae3cb4686209ff2d921a5dc0c69106eaba2e1ff4be41f
SHA512

125c611c699c9f3fb026107cb8289199dcbe974a67d39d087ccd733984caa0c6fe863fadb2aeca7f79b1d034c3cbc2a462a0b8fe8b271ed63b1acacf9eeed0e6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	192	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	312	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	200	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	4668	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001abec-282.dat	dcrat
behavioral1/files/0x000800000001abec-283.dat	dcrat
behavioral1/memory/3200-284-0x0000000000B00000-0x0000000000C10000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac26-357.dat	dcrat
behavioral1/files/0x000600000001ac26-360.dat	dcrat
behavioral1/files/0x000600000001ac26-893.dat	dcrat
behavioral1/files/0x000600000001ac26-899.dat	dcrat
behavioral1/files/0x000600000001ac26-904.dat	dcrat
behavioral1/files/0x000600000001ac26-909.dat	dcrat
behavioral1/files/0x000600000001ac26-915.dat	dcrat
behavioral1/files/0x000600000001ac26-920.dat	dcrat
behavioral1/files/0x000600000001ac26-925.dat	dcrat
behavioral1/files/0x000600000001ac26-930.dat	dcrat
behavioral1/files/0x000600000001ac26-935.dat	dcrat
behavioral1/files/0x000600000001ac26-940.dat	dcrat
behavioral1/files/0x000600000001ac26-945.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
3200	DllCommonsvc.exe
4480	csrss.exe
5856	csrss.exe
6036	csrss.exe
1848	csrss.exe
3144	csrss.exe
5656	csrss.exe
3548	csrss.exe
5616	csrss.exe
2536	csrss.exe
5032	csrss.exe
5376	csrss.exe
5772	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\taskhostw.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\en-US\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\en-US\ebf1f9fa8afd6d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1068	schtasks.exe
1464	schtasks.exe
3432	schtasks.exe
1080	schtasks.exe
692	schtasks.exe
5008	schtasks.exe
4876	schtasks.exe
1940	schtasks.exe
4344	schtasks.exe
816	schtasks.exe
1432	schtasks.exe
2180	schtasks.exe
1164	schtasks.exe
4828	schtasks.exe
4960	schtasks.exe
4860	schtasks.exe
2764	schtasks.exe
588	schtasks.exe
4520	schtasks.exe
4748	schtasks.exe
1712	schtasks.exe
652	schtasks.exe
192	schtasks.exe
4868	schtasks.exe
4424	schtasks.exe
3900	schtasks.exe
4728	schtasks.exe
2308	schtasks.exe
312	schtasks.exe
200	schtasks.exe
3440	schtasks.exe
2800	schtasks.exe
1072	schtasks.exe
5016	schtasks.exe
4484	schtasks.exe
1528	schtasks.exe
1248	schtasks.exe
220	schtasks.exe
3348	schtasks.exe
4884	schtasks.exe
1252	schtasks.exe
1860	schtasks.exe
2232	schtasks.exe
1944	schtasks.exe
532	schtasks.exe
4976	schtasks.exe
3700	schtasks.exe
2228	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	bc2a2580b0ffce4c0a2ae3cb4686209ff2d921a5dc0c69106eaba2e1ff4be41f.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3200	DllCommonsvc.exe
3200	DllCommonsvc.exe
3200	DllCommonsvc.exe
3200	DllCommonsvc.exe
3200	DllCommonsvc.exe
3200	DllCommonsvc.exe
3200	DllCommonsvc.exe
3200	DllCommonsvc.exe
3200	DllCommonsvc.exe
1856	powershell.exe
1856	powershell.exe
2584	powershell.exe
2584	powershell.exe
2656	powershell.exe
2656	powershell.exe
2432	powershell.exe
2432	powershell.exe
2424	powershell.exe
2424	powershell.exe
3964	powershell.exe
3964	powershell.exe
4720	powershell.exe
4720	powershell.exe
2940	powershell.exe
2940	powershell.exe
4384	powershell.exe
4384	powershell.exe
2220	powershell.exe
2220	powershell.exe
4632	powershell.exe
4632	powershell.exe
1456	powershell.exe
4024	powershell.exe
1456	powershell.exe
4024	powershell.exe
1272	powershell.exe
1272	powershell.exe
4720	powershell.exe
1556	powershell.exe
1556	powershell.exe
2432	powershell.exe
2880	powershell.exe
2880	powershell.exe
2940	powershell.exe
4192	powershell.exe
4192	powershell.exe
4024	powershell.exe
4632	powershell.exe
4480	csrss.exe
4480	csrss.exe
1272	powershell.exe
1856	powershell.exe
4192	powershell.exe
2432	powershell.exe
4720	powershell.exe
2584	powershell.exe
4024	powershell.exe
4384	powershell.exe
2220	powershell.exe
2656	powershell.exe
2424	powershell.exe
1456	powershell.exe
4632	powershell.exe
3964	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3200	DllCommonsvc.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	4480	csrss.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeIncreaseQuotaPrivilege	4632	powershell.exe
Token: SeSecurityPrivilege	4632	powershell.exe
Token: SeTakeOwnershipPrivilege	4632	powershell.exe
Token: SeLoadDriverPrivilege	4632	powershell.exe
Token: SeSystemProfilePrivilege	4632	powershell.exe
Token: SeSystemtimePrivilege	4632	powershell.exe
Token: SeProfSingleProcessPrivilege	4632	powershell.exe
Token: SeIncBasePriorityPrivilege	4632	powershell.exe
Token: SeCreatePagefilePrivilege	4632	powershell.exe
Token: SeBackupPrivilege	4632	powershell.exe
Token: SeRestorePrivilege	4632	powershell.exe
Token: SeShutdownPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeSystemEnvironmentPrivilege	4632	powershell.exe
Token: SeRemoteShutdownPrivilege	4632	powershell.exe
Token: SeUndockPrivilege	4632	powershell.exe
Token: SeManageVolumePrivilege	4632	powershell.exe
Token: 33	4632	powershell.exe
Token: 34	4632	powershell.exe
Token: 35	4632	powershell.exe
Token: 36	4632	powershell.exe
Token: SeIncreaseQuotaPrivilege	4024	powershell.exe
Token: SeSecurityPrivilege	4024	powershell.exe
Token: SeTakeOwnershipPrivilege	4024	powershell.exe
Token: SeLoadDriverPrivilege	4024	powershell.exe
Token: SeIncreaseQuotaPrivilege	4720	powershell.exe
Token: SeSystemProfilePrivilege	4024	powershell.exe
Token: SeSecurityPrivilege	4720	powershell.exe
Token: SeSystemtimePrivilege	4024	powershell.exe
Token: SeTakeOwnershipPrivilege	4720	powershell.exe
Token: SeProfSingleProcessPrivilege	4024	powershell.exe
Token: SeLoadDriverPrivilege	4720	powershell.exe
Token: SeIncBasePriorityPrivilege	4024	powershell.exe
Token: SeSystemProfilePrivilege	4720	powershell.exe
Token: SeCreatePagefilePrivilege	4024	powershell.exe
Token: SeSystemtimePrivilege	4720	powershell.exe
Token: SeBackupPrivilege	4024	powershell.exe
Token: SeProfSingleProcessPrivilege	4720	powershell.exe
Token: SeRestorePrivilege	4024	powershell.exe
Token: SeIncBasePriorityPrivilege	4720	powershell.exe
Token: SeCreatePagefilePrivilege	4720	powershell.exe
Token: SeBackupPrivilege	4720	powershell.exe
Token: SeRestorePrivilege	4720	powershell.exe
Token: SeShutdownPrivilege	4720	powershell.exe
Token: SeShutdownPrivilege	4024	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 4512	3040	bc2a2580b0ffce4c0a2ae3cb4686209ff2d921a5dc0c69106eaba2e1ff4be41f.exe	66
PID 3040 wrote to memory of 4512	3040	bc2a2580b0ffce4c0a2ae3cb4686209ff2d921a5dc0c69106eaba2e1ff4be41f.exe	66
PID 3040 wrote to memory of 4512	3040	bc2a2580b0ffce4c0a2ae3cb4686209ff2d921a5dc0c69106eaba2e1ff4be41f.exe	66
PID 4512 wrote to memory of 4272	4512	WScript.exe	67
PID 4512 wrote to memory of 4272	4512	WScript.exe	67
PID 4512 wrote to memory of 4272	4512	WScript.exe	67
PID 4272 wrote to memory of 3200	4272	cmd.exe	69
PID 4272 wrote to memory of 3200	4272	cmd.exe	69
PID 3200 wrote to memory of 1856	3200	DllCommonsvc.exe	128
PID 3200 wrote to memory of 1856	3200	DllCommonsvc.exe	128
PID 3200 wrote to memory of 2584	3200	DllCommonsvc.exe	127
PID 3200 wrote to memory of 2584	3200	DllCommonsvc.exe	127
PID 3200 wrote to memory of 2656	3200	DllCommonsvc.exe	125
PID 3200 wrote to memory of 2656	3200	DllCommonsvc.exe	125
PID 3200 wrote to memory of 2424	3200	DllCommonsvc.exe	123
PID 3200 wrote to memory of 2424	3200	DllCommonsvc.exe	123
PID 3200 wrote to memory of 2432	3200	DllCommonsvc.exe	121
PID 3200 wrote to memory of 2432	3200	DllCommonsvc.exe	121
PID 3200 wrote to memory of 3964	3200	DllCommonsvc.exe	119
PID 3200 wrote to memory of 3964	3200	DllCommonsvc.exe	119
PID 3200 wrote to memory of 4720	3200	DllCommonsvc.exe	117
PID 3200 wrote to memory of 4720	3200	DllCommonsvc.exe	117
PID 3200 wrote to memory of 2940	3200	DllCommonsvc.exe	116
PID 3200 wrote to memory of 2940	3200	DllCommonsvc.exe	116
PID 3200 wrote to memory of 4384	3200	DllCommonsvc.exe	114
PID 3200 wrote to memory of 4384	3200	DllCommonsvc.exe	114
PID 3200 wrote to memory of 2220	3200	DllCommonsvc.exe	95
PID 3200 wrote to memory of 2220	3200	DllCommonsvc.exe	95
PID 3200 wrote to memory of 4632	3200	DllCommonsvc.exe	96
PID 3200 wrote to memory of 4632	3200	DllCommonsvc.exe	96
PID 3200 wrote to memory of 4024	3200	DllCommonsvc.exe	97
PID 3200 wrote to memory of 4024	3200	DllCommonsvc.exe	97
PID 3200 wrote to memory of 1456	3200	DllCommonsvc.exe	98
PID 3200 wrote to memory of 1456	3200	DllCommonsvc.exe	98
PID 3200 wrote to memory of 1272	3200	DllCommonsvc.exe	109
PID 3200 wrote to memory of 1272	3200	DllCommonsvc.exe	109
PID 3200 wrote to memory of 1556	3200	DllCommonsvc.exe	100
PID 3200 wrote to memory of 1556	3200	DllCommonsvc.exe	100
PID 3200 wrote to memory of 2880	3200	DllCommonsvc.exe	101
PID 3200 wrote to memory of 2880	3200	DllCommonsvc.exe	101
PID 3200 wrote to memory of 4192	3200	DllCommonsvc.exe	102
PID 3200 wrote to memory of 4192	3200	DllCommonsvc.exe	102
PID 3200 wrote to memory of 4480	3200	DllCommonsvc.exe	106
PID 3200 wrote to memory of 4480	3200	DllCommonsvc.exe	106
PID 4480 wrote to memory of 4296	4480	csrss.exe	155
PID 4480 wrote to memory of 4296	4480	csrss.exe	155
PID 4296 wrote to memory of 5204	4296	cmd.exe	157
PID 4296 wrote to memory of 5204	4296	cmd.exe	157
PID 4296 wrote to memory of 5856	4296	cmd.exe	158
PID 4296 wrote to memory of 5856	4296	cmd.exe	158
PID 5856 wrote to memory of 5960	5856	csrss.exe	159
PID 5856 wrote to memory of 5960	5856	csrss.exe	159
PID 5960 wrote to memory of 6016	5960	cmd.exe	161
PID 5960 wrote to memory of 6016	5960	cmd.exe	161
PID 5960 wrote to memory of 6036	5960	cmd.exe	162
PID 5960 wrote to memory of 6036	5960	cmd.exe	162
PID 6036 wrote to memory of 6140	6036	csrss.exe	163
PID 6036 wrote to memory of 6140	6036	csrss.exe	163
PID 6140 wrote to memory of 4880	6140	cmd.exe	165
PID 6140 wrote to memory of 4880	6140	cmd.exe	165
PID 6140 wrote to memory of 1848	6140	cmd.exe	166
PID 6140 wrote to memory of 1848	6140	cmd.exe	166
PID 1848 wrote to memory of 5456	1848	csrss.exe	167
PID 1848 wrote to memory of 5456	1848	csrss.exe	167

C:\Users\Admin\AppData\Local\Temp\bc2a2580b0ffce4c0a2ae3cb4686209ff2d921a5dc0c69106eaba2e1ff4be41f.exe
"C:\Users\Admin\AppData\Local\Temp\bc2a2580b0ffce4c0a2ae3cb4686209ff2d921a5dc0c69106eaba2e1ff4be41f.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\en-US\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
    - - C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4480
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5204
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:6016
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:6140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4880
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"
        12⤵
        
        PID:5456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5512
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"
        14⤵
        
        PID:4320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2176
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat"
        16⤵
        
        PID:4520
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\owZfSNRP11.bat"
        18⤵
        
        PID:3416
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"
        20⤵
        
        PID:5668
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"
        22⤵
        
        PID:1272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4144
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"
        24⤵
        
        PID:4604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4804
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat"
        26⤵
        
        PID:4564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:5100
        
        C:\Users\All Users\csrss.exe
        
        "C:\Users\All Users\csrss.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"
        28⤵
        
        PID:3448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:5592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\7-Zip\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\odt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Searches\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Searches\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Searches\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\en-US\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520
- C:\Windows\system32\w32tm.exe
  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
  2⤵
  PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4612

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:5732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1da862ba22475ca1536507f73dacb692

SHA1
f17e2b4cccd3646c3feed02c7f13837547fc2f22

SHA256
19bb5d3d4af66439ebc33cab1b498e2ce1ff7a34aebc735070be1670881eeb1e

SHA512
62282301403661ba3f9b2980a561bc225cda7190e10ed7812d11def4f68ac51e6ff68a2306cb5152c2fab06f22f571f1f95d2b2a807d4dc0835fc9658ede130c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
698e59ab096269a07e296f0b0a496e76

SHA1
e13d07f641653de5e5119d7aec540cccddc3ea08

SHA256
3c2261e6a1d3975c5dc33278e5a2edcbd5cc572f706d35f15ffc9b4e28cd10b2

SHA512
c3a9791c897ccb3d75c5fd7c51e2a45c7b03e432305f8bada98fb04d916abf1ca813bd0b8575efc623120334259766057323c85ddd4052bbac047e97f8ab7da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0bdfaa14d7814b541a77f4e97920dfd6

SHA1
c239720eee47db7f7136bb78e37c539b9e735c4c

SHA256
4c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272

SHA512
dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0bdfaa14d7814b541a77f4e97920dfd6

SHA1
c239720eee47db7f7136bb78e37c539b9e735c4c

SHA256
4c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272

SHA512
dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0bdfaa14d7814b541a77f4e97920dfd6

SHA1
c239720eee47db7f7136bb78e37c539b9e735c4c

SHA256
4c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272

SHA512
dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5810dda934c3202f1d79f9681de38eb2

SHA1
b29043024eef221ad0b5f508325a7e3ac3ecb73d

SHA256
dac3c0c6cecbbc01020ede2207398276ee59dca0020da50ca5b131724a528086

SHA512
276d1051d0fd6b2d7897949d0f33f5ff76535fa16927896cf2e974afa0654eada4087a23bf987ed80de35fdf3c185cc9f956239405d00d1f6e8e2a946e5d4b4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b47618e8327408c2eb96aec02d9f245e

SHA1
a055f9088f7673920930de0aa3fb0f824b3e2a7c

SHA256
08559caa6c886bfa38511e7e3e22f1fe442abf407986e0a472ab7da9f04a5bd8

SHA512
26315346754f97cced7bd3df028f24f384de96ca05bc8f58ab2040337a64ca0a28e158ea07637bb8b93a3fe276354cf214965cf0391d85351ef1d0133816ff32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b47618e8327408c2eb96aec02d9f245e

SHA1
a055f9088f7673920930de0aa3fb0f824b3e2a7c

SHA256
08559caa6c886bfa38511e7e3e22f1fe442abf407986e0a472ab7da9f04a5bd8

SHA512
26315346754f97cced7bd3df028f24f384de96ca05bc8f58ab2040337a64ca0a28e158ea07637bb8b93a3fe276354cf214965cf0391d85351ef1d0133816ff32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b47618e8327408c2eb96aec02d9f245e

SHA1
a055f9088f7673920930de0aa3fb0f824b3e2a7c

SHA256
08559caa6c886bfa38511e7e3e22f1fe442abf407986e0a472ab7da9f04a5bd8

SHA512
26315346754f97cced7bd3df028f24f384de96ca05bc8f58ab2040337a64ca0a28e158ea07637bb8b93a3fe276354cf214965cf0391d85351ef1d0133816ff32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c56b052a640b53815754876f27acbbae

SHA1
5ac6bfd91c9f89c99c51e8704d6b0c4d6e290a7f

SHA256
5815d928040f07653c14eb83ccafd7f9d58342c52fecd6f9c6c565b4506a55e4

SHA512
816ffc96846f7fda32351bb42410adceb797cba5c4f1559cde5549db0cfccd6ea03384862e85a7183532ca9d44187d5f93702a7dde648eee9f06100e11789707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b2a5f8ad4cf63c7ec3d249873f04471d

SHA1
a12785d6badef2e939375cb245bd78ab9f14ca21

SHA256
eb0e8a5a8ec4136db4e0c9e6649ed012c7bd18954f530ad2293a0678c6e68476

SHA512
56902a74fc1c7458bdcb895f38d3cfb83e0e7f0b7326753b52a0f8c0acfaf0a885e0e1aa0e27e311477ffabfd857ed6b7cd80f5c90fd1d06a817885571821a87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
45993efc2e7a9364ea82fe0e177126b3

SHA1
fe371fe6cc4396630beca58dc58ddba3a97309ed

SHA256
a5732f6a1c95ebce5fbcde32d72f592dc76169138e7c74cd8798e60a5f2989cc

SHA512
babb9cfd9377f023dcc818e59fee9733d1fecba73343a32b384e48de9795a94789aa8b8a2ad0d935e9a7a79689263ebfee3c2b24bb4d90cf5e6a6dc139787af0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
45993efc2e7a9364ea82fe0e177126b3

SHA1
fe371fe6cc4396630beca58dc58ddba3a97309ed

SHA256
a5732f6a1c95ebce5fbcde32d72f592dc76169138e7c74cd8798e60a5f2989cc

SHA512
babb9cfd9377f023dcc818e59fee9733d1fecba73343a32b384e48de9795a94789aa8b8a2ad0d935e9a7a79689263ebfee3c2b24bb4d90cf5e6a6dc139787af0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bbded89b2de33483fdb82a576dd87516

SHA1
73849b4d89703e24dd3357655a37997aa42a1dfd

SHA256
2d48a16de458837ee98cc5868707a279502add89be530b6e9a08c0426c296559

SHA512
2bd9f608455801322e3718fdfee0d522c7616258cfcb3edc9af2d924fca5291e4f043183af6fb1bfff476dcb157338df070ed7dd80de20e328a4927b8da82fa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bbded89b2de33483fdb82a576dd87516

SHA1
73849b4d89703e24dd3357655a37997aa42a1dfd

SHA256
2d48a16de458837ee98cc5868707a279502add89be530b6e9a08c0426c296559

SHA512
2bd9f608455801322e3718fdfee0d522c7616258cfcb3edc9af2d924fca5291e4f043183af6fb1bfff476dcb157338df070ed7dd80de20e328a4927b8da82fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat

Filesize
193B

MD5
9c3e866b6e48f0caf10f0d4b319a1bb8

SHA1
016214373da362be65c7d16075dd0a332022d3d6

SHA256
1b3e459d1e481f9ab74d3295c9ee26b476778306e8db3a1577f606738a8a287f

SHA512
d854929706bcbd3b16e26779c3983b6f18efe88d0033b6843311709eb733ece3965bade60e19fdbf2294678e3369d914ef02ebd102d082a3f7d0a0ad73284d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat

Filesize
193B

MD5
7580ce7dea2d4efa34d1f43a03ac5b8c

SHA1
79af2e4db7f10056b1e7b5a8d86b4625a8f280c4

SHA256
b915e3e0185f14a29cdd2298960f074038cc1a7525688f052e7f06f7f3aa73b9

SHA512
69dcd263c3a85ce97dd34c9b8f152cd6a88535830ead6e03bbc6cf43e8af1bce8ef380576c6bea1723c68b159470f4314f26d7f98eb06b3be06e2a5a7c3fd0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat

Filesize
193B

MD5
db5583eb7a1843155f769705a1a2f121

SHA1
8e698eb8dab8be9af5c0b3c60dc315cc925e85ac

SHA256
392d913501cb26441c83514a64f7d185d8c90b4cd004a889637140b22bf19208

SHA512
bb3cd2f4fb80adddf27ce81783bb3d77933aaa0469442a059872bea9de78d226fafbf2144874fd47d515e8bf8f8c11d7c311fa05f0a9d370d51b8c0169e063c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat

Filesize
193B

MD5
bc52ad8e50178fed604143f8df646a48

SHA1
0706d36d5389112d2d5d2ed101866f99ae8b60a7

SHA256
cefeaebf5f16bd7b1648967442cf0d9edcd08bbf276714074f05784f1dc4a464

SHA512
28049b709ddb5910243af78f6d1ea830d33f75f82bb012ecb38dda469e15e0d3e53a1c46c4e57bd1541943b18d64d12cfedf8415e1b694433ee488adc791c686

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat

Filesize
193B

MD5
ac94ea105d8ea37547c4e1a7f4220593

SHA1
25542f659f28e5fc6a5e9438d471e2ed4a5a017c

SHA256
579822e23cdfd543b74265f45c3bfa0264d5ddcd20053bce76d67140dea5f166

SHA512
ce08377cd06883237e626804c15c843b17bfc0772cd68aa6a75ce1c8367ebaffd99ebaa88de9040370e7b48a33aeaa080a0f90aff2128f29535cfdef25e5f572

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat

Filesize
193B

MD5
2702d12971298670ca83a570c40bbd33

SHA1
6036aff5118d113f73355fba632e5139547e0407

SHA256
d3c00362da227874f5538b22363a0cf0f4bd37202aa5de026e259fdf86d438d4

SHA512
dc71ef40f2852407141b261ed61f7efa7ae1654039d8801891462a6c972651f408b93d22e078c4faffd27a0e4da5152c118679a6e9cd830b1fbd53c0fb24e61b

Download Submit
C:\Users\Admin\AppData\Local\Temp\owZfSNRP11.bat

Filesize
193B

MD5
c8e31cc02b8071169fbf471e1b6d6a70

SHA1
b77177ac93f08c247ded529f49035b38c8f79d53

SHA256
6fec3d93a524d3dbf331a7dd4921743e9449f7539fc0f086a8b7f1d4e013b559

SHA512
95368ed4e5517bb257f2c7b6d615c95660da6a237ba3df7027366377cfeacd9c7f668d0969dd4299bd3066d0262b02a8efa86d96cb2c7b58ae31277cb0cf237a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat

Filesize
193B

MD5
d8436e603c13087316e53ab671b5893a

SHA1
3409396af56e0937041ede0820568170420ab7a6

SHA256
0cfe15f3a58649400db0dc5b6b2bd0f2d3adfda1b217c2069aca1abec512be3e

SHA512
89be234f512df5287e2762706a762d5458f86998ea170c1e48bda202604df52e47990f556051e13363877142e02747b4c828ef17f9f2a6b806be615512af2bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat

Filesize
193B

MD5
d8436e603c13087316e53ab671b5893a

SHA1
3409396af56e0937041ede0820568170420ab7a6

SHA256
0cfe15f3a58649400db0dc5b6b2bd0f2d3adfda1b217c2069aca1abec512be3e

SHA512
89be234f512df5287e2762706a762d5458f86998ea170c1e48bda202604df52e47990f556051e13363877142e02747b4c828ef17f9f2a6b806be615512af2bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat

Filesize
193B

MD5
a49a125336fe55b13bb6a7085e477c6a

SHA1
a1ddebf5260f17b6d52139ee8d1b5bbebadb03c0

SHA256
51b127f9636c0094f59a86943db0a8bbaa266dafaa59565cc15ec403b3771814

SHA512
e42d10331535d0e977dd3d3d00ed18da63f967418b970eea32f2370af0e076b47b96f511662fc9556b7c30481bb03f5c8b8d318530659466df5bc8cb4c3853f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat

Filesize
193B

MD5
1eaa1d36c1815a87e26bea0f8de4c840

SHA1
62769a9c874a5d094b4333981384992e24218952

SHA256
76ed85ce2d522d32eb528e5f42a38ba6a97d62c1cab5468ba2d1ffa5c0ef0cd3

SHA512
0f3807422eb60f3339b8107b49ff7812314c61fa4c66ae588b10c64dd86f2134e4f61dfaece039880652ea718518b8ac6c1ce65f12f0977b654d8acde8b43449

Download Submit
C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat

Filesize
193B

MD5
d461476fe82728a84172cc6c77780973

SHA1
84aaab2e574ad653f779bb90b434cd39a86ffd30

SHA256
1055a64283ef2d25a576c47bc6fe6f5a0be88cc79d7961baae644a6fd8cf9db6

SHA512
3d9ada631d5365187f7879cb815a539f1b99071cf4771a19fe678d49e0214ff8423bf5497a862828c2f7f8a54175ed5c7a3bae7550e12548f02eb7b9c1ba3f72

Download Submit
C:\Users\All Users\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1856-375-0x000001F023460000-0x000001F023482000-memory.dmp

Filesize
136KB

Download
memory/3040-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-118-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3040-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3144-910-0x0000000001590000-0x00000000015A2000-memory.dmp

Filesize
72KB

Download
memory/3200-288-0x0000000001190000-0x000000000119C000-memory.dmp

Filesize
48KB

Download
memory/3200-285-0x0000000001120000-0x0000000001132000-memory.dmp

Filesize
72KB

Download
memory/3200-284-0x0000000000B00000-0x0000000000C10000-memory.dmp

Filesize
1.1MB

Download
memory/3200-286-0x00000000011A0000-0x00000000011AC000-memory.dmp

Filesize
48KB

Download
memory/3200-287-0x0000000001130000-0x000000000113C000-memory.dmp

Filesize
48KB

Download
memory/4480-378-0x0000000000F20000-0x0000000000F32000-memory.dmp

Filesize
72KB

Download
memory/4512-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4512-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4720-385-0x000001956A020000-0x000001956A096000-memory.dmp

Filesize
472KB

Download
memory/5772-946-0x0000000000960000-0x0000000000972000-memory.dmp

Filesize
72KB

Download