dcrat | 984fba411edafc74b76d3e7d6176c9247fca8033d629151ec3d73da1c86d3e4a

Analysis

max time kernel
146s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

984fba411edafc74b76d3e7d6176c9247fca8033d629151ec3d73da1c86d3e4a.exe
Size

1.3MB
MD5

db30163308fe0448913bc1aeaba9eb9e
SHA1

f0ccb2db3cdaa556139fd10852629c950bc30326
SHA256

984fba411edafc74b76d3e7d6176c9247fca8033d629151ec3d73da1c86d3e4a
SHA512

0fe7b4702435fe203cae74483369e60f34b92691548828c892a30df2b733ddc30de84df2731e40610fe5864c54b5dc13a2ea9abc0aea19db5153de1b7753b7e7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4508	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	4508	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac37-284.dat	dcrat
behavioral1/files/0x000800000001ac37-285.dat	dcrat
behavioral1/memory/3320-286-0x00000000006E0000-0x00000000007F0000-memory.dmp	dcrat
behavioral1/files/0x000800000001ac37-299.dat	dcrat
behavioral1/files/0x000a00000001ac5e-805.dat	dcrat
behavioral1/files/0x000a00000001ac5e-806.dat	dcrat
behavioral1/files/0x000a00000001ac5e-901.dat	dcrat
behavioral1/files/0x000a00000001ac5e-908.dat	dcrat
behavioral1/files/0x000a00000001ac5e-913.dat	dcrat
behavioral1/files/0x000a00000001ac5e-918.dat	dcrat
behavioral1/files/0x000a00000001ac5e-923.dat	dcrat
behavioral1/files/0x000a00000001ac5e-929.dat	dcrat
behavioral1/files/0x000a00000001ac5e-935.dat	dcrat
behavioral1/files/0x000a00000001ac5e-941.dat	dcrat
behavioral1/files/0x000a00000001ac5e-947.dat	dcrat
behavioral1/files/0x000a00000001ac5e-953.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
3320	DllCommonsvc.exe
4840	DllCommonsvc.exe
1556	explorer.exe
4932	explorer.exe
1392	explorer.exe
4972	explorer.exe
2312	explorer.exe
3652	explorer.exe
2832	explorer.exe
3964	explorer.exe
3664	explorer.exe
1800	explorer.exe
660	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\it\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\it\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\index\DllCommonsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4192	schtasks.exe
4860	schtasks.exe
2572	schtasks.exe
632	schtasks.exe
5048	schtasks.exe
4288	schtasks.exe
4748	schtasks.exe
4176	schtasks.exe
2036	schtasks.exe
1332	schtasks.exe
4756	schtasks.exe
4608	schtasks.exe
516	schtasks.exe
3216	schtasks.exe
2448	schtasks.exe
3592	schtasks.exe
2152	schtasks.exe
1248	schtasks.exe
4196	schtasks.exe
4772	schtasks.exe
2124	schtasks.exe
3536	schtasks.exe
2908	schtasks.exe
4012	schtasks.exe
3360	schtasks.exe
1660	schtasks.exe
2040	schtasks.exe
5008	schtasks.exe
1880	schtasks.exe
4216	schtasks.exe
4176	schtasks.exe
4216	schtasks.exe
2392	schtasks.exe
4128	schtasks.exe
4152	schtasks.exe
4056	schtasks.exe
3664	schtasks.exe
3976	schtasks.exe
3500	schtasks.exe
4788	schtasks.exe
5108	schtasks.exe
2320	schtasks.exe
4352	schtasks.exe
4208	schtasks.exe
4920	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	984fba411edafc74b76d3e7d6176c9247fca8033d629151ec3d73da1c86d3e4a.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3320	DllCommonsvc.exe
3320	DllCommonsvc.exe
3320	DllCommonsvc.exe
3320	DllCommonsvc.exe
3320	DllCommonsvc.exe
3884	powershell.exe
4648	powershell.exe
4740	powershell.exe
4552	powershell.exe
4648	powershell.exe
3884	powershell.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4552	powershell.exe
4740	powershell.exe
4648	powershell.exe
4552	powershell.exe
3884	powershell.exe
4740	powershell.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4840	DllCommonsvc.exe
4548	powershell.exe
4548	powershell.exe
4584	powershell.exe
4584	powershell.exe
2628	powershell.exe
2628	powershell.exe
2776	powershell.exe
2776	powershell.exe
4688	powershell.exe
4688	powershell.exe
4608	powershell.exe
4608	powershell.exe
5020	powershell.exe
5020	powershell.exe
1280	powershell.exe
1280	powershell.exe
1280	powershell.exe
656	powershell.exe
656	powershell.exe
324	powershell.exe
324	powershell.exe
1224	powershell.exe
1224	powershell.exe
1836	powershell.exe
1836	powershell.exe
2776	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3320	DllCommonsvc.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	4840	DllCommonsvc.exe
Token: SeIncreaseQuotaPrivilege	3884	powershell.exe
Token: SeSecurityPrivilege	3884	powershell.exe
Token: SeTakeOwnershipPrivilege	3884	powershell.exe
Token: SeLoadDriverPrivilege	3884	powershell.exe
Token: SeSystemProfilePrivilege	3884	powershell.exe
Token: SeSystemtimePrivilege	3884	powershell.exe
Token: SeProfSingleProcessPrivilege	3884	powershell.exe
Token: SeIncBasePriorityPrivilege	3884	powershell.exe
Token: SeCreatePagefilePrivilege	3884	powershell.exe
Token: SeBackupPrivilege	3884	powershell.exe
Token: SeRestorePrivilege	3884	powershell.exe
Token: SeShutdownPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeSystemEnvironmentPrivilege	3884	powershell.exe
Token: SeRemoteShutdownPrivilege	3884	powershell.exe
Token: SeUndockPrivilege	3884	powershell.exe
Token: SeManageVolumePrivilege	3884	powershell.exe
Token: 33	3884	powershell.exe
Token: 34	3884	powershell.exe
Token: 35	3884	powershell.exe
Token: 36	3884	powershell.exe
Token: SeIncreaseQuotaPrivilege	4648	powershell.exe
Token: SeSecurityPrivilege	4648	powershell.exe
Token: SeTakeOwnershipPrivilege	4648	powershell.exe
Token: SeLoadDriverPrivilege	4648	powershell.exe
Token: SeSystemProfilePrivilege	4648	powershell.exe
Token: SeSystemtimePrivilege	4648	powershell.exe
Token: SeProfSingleProcessPrivilege	4648	powershell.exe
Token: SeIncBasePriorityPrivilege	4648	powershell.exe
Token: SeCreatePagefilePrivilege	4648	powershell.exe
Token: SeBackupPrivilege	4648	powershell.exe
Token: SeRestorePrivilege	4648	powershell.exe
Token: SeShutdownPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeSystemEnvironmentPrivilege	4648	powershell.exe
Token: SeRemoteShutdownPrivilege	4648	powershell.exe
Token: SeUndockPrivilege	4648	powershell.exe
Token: SeManageVolumePrivilege	4648	powershell.exe
Token: 33	4648	powershell.exe
Token: 34	4648	powershell.exe
Token: 35	4648	powershell.exe
Token: 36	4648	powershell.exe
Token: SeIncreaseQuotaPrivilege	4552	powershell.exe
Token: SeSecurityPrivilege	4552	powershell.exe
Token: SeTakeOwnershipPrivilege	4552	powershell.exe
Token: SeLoadDriverPrivilege	4552	powershell.exe
Token: SeSystemProfilePrivilege	4552	powershell.exe
Token: SeSystemtimePrivilege	4552	powershell.exe
Token: SeProfSingleProcessPrivilege	4552	powershell.exe
Token: SeIncBasePriorityPrivilege	4552	powershell.exe
Token: SeCreatePagefilePrivilege	4552	powershell.exe
Token: SeBackupPrivilege	4552	powershell.exe
Token: SeRestorePrivilege	4552	powershell.exe
Token: SeShutdownPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeSystemEnvironmentPrivilege	4552	powershell.exe
Token: SeRemoteShutdownPrivilege	4552	powershell.exe
Token: SeUndockPrivilege	4552	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 4432	2300	984fba411edafc74b76d3e7d6176c9247fca8033d629151ec3d73da1c86d3e4a.exe	66
PID 2300 wrote to memory of 4432	2300	984fba411edafc74b76d3e7d6176c9247fca8033d629151ec3d73da1c86d3e4a.exe	66
PID 2300 wrote to memory of 4432	2300	984fba411edafc74b76d3e7d6176c9247fca8033d629151ec3d73da1c86d3e4a.exe	66
PID 4432 wrote to memory of 5056	4432	WScript.exe	67
PID 4432 wrote to memory of 5056	4432	WScript.exe	67
PID 4432 wrote to memory of 5056	4432	WScript.exe	67
PID 5056 wrote to memory of 3320	5056	cmd.exe	69
PID 5056 wrote to memory of 3320	5056	cmd.exe	69
PID 3320 wrote to memory of 3884	3320	DllCommonsvc.exe	80
PID 3320 wrote to memory of 3884	3320	DllCommonsvc.exe	80
PID 3320 wrote to memory of 4740	3320	DllCommonsvc.exe	88
PID 3320 wrote to memory of 4740	3320	DllCommonsvc.exe	88
PID 3320 wrote to memory of 4552	3320	DllCommonsvc.exe	82
PID 3320 wrote to memory of 4552	3320	DllCommonsvc.exe	82
PID 3320 wrote to memory of 4648	3320	DllCommonsvc.exe	83
PID 3320 wrote to memory of 4648	3320	DllCommonsvc.exe	83
PID 3320 wrote to memory of 4840	3320	DllCommonsvc.exe	87
PID 3320 wrote to memory of 4840	3320	DllCommonsvc.exe	87
PID 4840 wrote to memory of 4548	4840	DllCommonsvc.exe	126
PID 4840 wrote to memory of 4548	4840	DllCommonsvc.exe	126
PID 4840 wrote to memory of 4584	4840	DllCommonsvc.exe	127
PID 4840 wrote to memory of 4584	4840	DllCommonsvc.exe	127
PID 4840 wrote to memory of 2628	4840	DllCommonsvc.exe	128
PID 4840 wrote to memory of 2628	4840	DllCommonsvc.exe	128
PID 4840 wrote to memory of 4688	4840	DllCommonsvc.exe	129
PID 4840 wrote to memory of 4688	4840	DllCommonsvc.exe	129
PID 4840 wrote to memory of 1280	4840	DllCommonsvc.exe	142
PID 4840 wrote to memory of 1280	4840	DllCommonsvc.exe	142
PID 4840 wrote to memory of 1224	4840	DllCommonsvc.exe	141
PID 4840 wrote to memory of 1224	4840	DllCommonsvc.exe	141
PID 4840 wrote to memory of 1836	4840	DllCommonsvc.exe	136
PID 4840 wrote to memory of 1836	4840	DllCommonsvc.exe	136
PID 4840 wrote to memory of 4608	4840	DllCommonsvc.exe	135
PID 4840 wrote to memory of 4608	4840	DllCommonsvc.exe	135
PID 4840 wrote to memory of 2776	4840	DllCommonsvc.exe	137
PID 4840 wrote to memory of 2776	4840	DllCommonsvc.exe	137
PID 4840 wrote to memory of 2152	4840	DllCommonsvc.exe	138
PID 4840 wrote to memory of 2152	4840	DllCommonsvc.exe	138
PID 4840 wrote to memory of 5020	4840	DllCommonsvc.exe	144
PID 4840 wrote to memory of 5020	4840	DllCommonsvc.exe	144
PID 4840 wrote to memory of 656	4840	DllCommonsvc.exe	146
PID 4840 wrote to memory of 656	4840	DllCommonsvc.exe	146
PID 4840 wrote to memory of 324	4840	DllCommonsvc.exe	147
PID 4840 wrote to memory of 324	4840	DllCommonsvc.exe	147
PID 4840 wrote to memory of 2040	4840	DllCommonsvc.exe	158
PID 4840 wrote to memory of 2040	4840	DllCommonsvc.exe	158
PID 2040 wrote to memory of 1216	2040	w32tm.exe	154
PID 2040 wrote to memory of 1216	2040	w32tm.exe	154
PID 2040 wrote to memory of 1556	2040	w32tm.exe	155
PID 2040 wrote to memory of 1556	2040	w32tm.exe	155
PID 1556 wrote to memory of 1344	1556	explorer.exe	156
PID 1556 wrote to memory of 1344	1556	explorer.exe	156
PID 1344 wrote to memory of 2040	1344	cmd.exe	158
PID 1344 wrote to memory of 2040	1344	cmd.exe	158
PID 1344 wrote to memory of 4932	1344	cmd.exe	159
PID 1344 wrote to memory of 4932	1344	cmd.exe	159
PID 4932 wrote to memory of 5072	4932	explorer.exe	160
PID 4932 wrote to memory of 5072	4932	explorer.exe	160
PID 5072 wrote to memory of 1880	5072	cmd.exe	162
PID 5072 wrote to memory of 1880	5072	cmd.exe	162
PID 5072 wrote to memory of 1392	5072	cmd.exe	163
PID 5072 wrote to memory of 1392	5072	cmd.exe	163
PID 1392 wrote to memory of 4124	1392	explorer.exe	164
PID 1392 wrote to memory of 4124	1392	explorer.exe	164

C:\Users\Admin\AppData\Local\Temp\984fba411edafc74b76d3e7d6176c9247fca8033d629151ec3d73da1c86d3e4a.exe
"C:\Users\Admin\AppData\Local\Temp\984fba411edafc74b76d3e7d6176c9247fca8033d629151ec3d73da1c86d3e4a.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4840
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4548
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\System.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4584
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2628
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4688
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\WmiPrvSE.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4608
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\powershell.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1836
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2776
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\explorer.exe'
        6⤵
        
        PID:2152
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\it\csrss.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1280
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5020
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:656
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:324
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M820awsdHW.bat"
        6⤵
        
        PID:2040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1216
        
        C:\Recovery\WindowsRE\explorer.exe
        
        "C:\Recovery\WindowsRE\explorer.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Recovery\WindowsRE\explorer.exe
        
        "C:\Recovery\WindowsRE\explorer.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1880
        
        C:\Recovery\WindowsRE\explorer.exe
        
        "C:\Recovery\WindowsRE\explorer.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat"
        12⤵
        
        PID:4124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3780
        
        C:\Recovery\WindowsRE\explorer.exe
        
        "C:\Recovery\WindowsRE\explorer.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIQ15LoDrx.bat"
        14⤵
        
        PID:4856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4108
        
        C:\Recovery\WindowsRE\explorer.exe
        
        "C:\Recovery\WindowsRE\explorer.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"
        16⤵
        
        PID:3500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4984
        
        C:\Recovery\WindowsRE\explorer.exe
        
        "C:\Recovery\WindowsRE\explorer.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"
        18⤵
        
        PID:2160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4808
        
        C:\Recovery\WindowsRE\explorer.exe
        
        "C:\Recovery\WindowsRE\explorer.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"
        20⤵
        
        PID:4268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2936
        
        C:\Recovery\WindowsRE\explorer.exe
        
        "C:\Recovery\WindowsRE\explorer.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat"
        22⤵
        
        PID:4120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4788
        
        C:\Recovery\WindowsRE\explorer.exe
        
        "C:\Recovery\WindowsRE\explorer.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HfroAScfQF.bat"
        24⤵
        
        PID:2888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1256
        
        C:\Recovery\WindowsRE\explorer.exe
        
        "C:\Recovery\WindowsRE\explorer.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat"
        26⤵
        
        PID:1772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1344
        
        C:\Recovery\WindowsRE\explorer.exe
        
        "C:\Recovery\WindowsRE\explorer.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"
        28⤵
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\it\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\it\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\it\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
b4268d8ae66fdd920476b97a1776bf85

SHA1
f920de54f7467f0970eccc053d3c6c8dd181d49a

SHA256
61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879

SHA512
03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6eabc9c24180ffe59d399e50c1a1abf0

SHA1
c276fd3a0d8d3a2b90ae15aa4ee646bd77702798

SHA256
40a8061ade009200bebca95a94049961b56e9cfb351b8b1c595c603ad929e02d

SHA512
a3a1e88e91bc611cde58538dfcf9cdd64336071793fc4d7225ec2501b109311aad8c84def61d97cef2f929504c77b95507c5229b0543a5d09d493b991b5106bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
232aeb7f1a55b6321f7ef81d894e99c8

SHA1
f4c0fc62cec8a5acaaf9cb8c4760d2db398539de

SHA256
2fc8cc956ef75843e57aa3b2163d78c89865f7651acee4d71100264a6a9ab5f3

SHA512
69d6966bdd91075309650fcd4aa8e584a21a4a43d0ed73666b53dff1f92651207abd6a0c0558733836a15235df317efcfe25ad06c5c6f84a12aec6604bdb41af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
232aeb7f1a55b6321f7ef81d894e99c8

SHA1
f4c0fc62cec8a5acaaf9cb8c4760d2db398539de

SHA256
2fc8cc956ef75843e57aa3b2163d78c89865f7651acee4d71100264a6a9ab5f3

SHA512
69d6966bdd91075309650fcd4aa8e584a21a4a43d0ed73666b53dff1f92651207abd6a0c0558733836a15235df317efcfe25ad06c5c6f84a12aec6604bdb41af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
986e5302178f5e661fa3f9fb3f6c9f75

SHA1
42b529eff466a2bd4bfa04e2569f74e64e301355

SHA256
baa80c0ced444ca3484934ae977c01484e3d33610cb67896812fad0180b18b79

SHA512
6dac89388bd1ba6b8ef0890c0a01b7a808f93916160158e06e12ab3bfcf0057fc66ec85249ba0d21144da90edf035c4f59c85df2ba79331f80df4ebe697c3987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d57fde6dec0dce87a0c0b58f3a85b5e

SHA1
c9f1a8a5e66d5e893df978bc8d0b844488edd36f

SHA256
879172bf9fda7b2fba94c3b39e9f50c24068e5bfdd38e40d49045f9ecb3cf709

SHA512
588b5592c2e1f0ac7abf5a5cc18055343d2bbf77aa640c1230e1ebb5742ff5a36eb3655489887a58242087bb62727d787935b6ee18e17dd4248a5a32c5a81c08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2ee3492dd628acfdca08274901101361

SHA1
78d5205b3be462a610c60c37d62d696906e28981

SHA256
bc1ed27de5ef1a8a919e385cddd73a74f86311c58b476ca6eccbed5ce7e5c14f

SHA512
0a45185fd6b7605913f21e3a1da904825065e9bda6e2303994ccaa6fcf97159ffc08c46350e866b1f617f41c18de23d092ee9f17dfc683107dac0ccf5682561a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4cf1a0d96a682565d7128140e5ee6ee0

SHA1
431d0a9e5ad3bb06bca3fbd11bb99abb9dfe9ea8

SHA256
86b745ac5a536ca491230bf3b73b14fc3884de106ad4de87e19a5ab3b2e24573

SHA512
9040d95d4812c6ea299c8479793dea9527927ef7f0ea9ca9a872bd24c16d2c732f941d7290cc37b326964d1499ec06140c5b074cd7016cab75e9ce4abc4447f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b1b4bc952d82916caa4fa9e352828b78

SHA1
77c1062437f407e87cbe936d959043a9cb62c9d8

SHA256
51e89e5987ba98228d0f7bc5fa12fbf1fcf17c3e9cb02a583062071294ab7ef9

SHA512
6ece12b3e02da62edb6d8cbe9ed699dbb6cb26372531b0102cc133fc71b9c8cadae352d778b776b25cf22cdb83832136509cf39dc0cc10b3d786fcea3079473d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
49fbd2003871172f18e427af50629c9f

SHA1
e7ea48d38d761ba4c720bacc8b7f29d71e741410

SHA256
fc19c32af5b1257947a9fc08ab3c0eb4291ef17621200ca03e440f1fd1d7f780

SHA512
a65eca6e0309221055a7cbeb6687e4ceea15f94a15a2a60359db91aed95a9e4d969c8d9e9460c328f3316d581ac76623d247eaee5a2ded7abb1bc6b6cac49873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a415a8d47339cec70b4414a443b3e36f

SHA1
40f7d9f0adeeb307eccce80c90cd5e5537089611

SHA256
9dc18e1e15cf8a58f1356652fe1fd103ca1666791a9b5a7e6423a10c911924fe

SHA512
4f74011be727fb299adf81efff2c359e9c3808891f8a2bcc082f7ab3ebf373beee74a6d7c2933dabf3e1533841870021ed9e5c73e9702c5042228e94b0befd40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d7b2ad24bd016daef44b293d8349eb2

SHA1
38a81618b45bd1896736dfd5d10076e1eb96ff9e

SHA256
1d86a363de93bbaf72b5477d602664c16296ce54e3f05ef43f401aa717d2bd02

SHA512
975e015b3c27331701040c9bb2724884c09be0ee4c3a55257673a57304fb9f7b450e77ccdfbbba39f66ed7a966f3e09514f61cece331feccc07c8367ff47f631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
43aa0b66f6e51592a2c373189e150f7e

SHA1
46b830394a9e221229b03fcfc006e248cd88406c

SHA256
528504daef9d337f9a46a58ccd70a886b0bb8793e25bf2b8cd65246dae550b85

SHA512
b3a6bd75156fa4b94e6ae613146f29fe7efad0a6ef48aeec757bb3ba24859a771545ad29958b766e3d5f2f7a191ee221cd07f26efc7de7380ac614a1f9660431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
92b2b34d4fa4a31e8738672bc281e43e

SHA1
9bb1a0ff9a236ee78d5c8fe62f2dec5d428bd190

SHA256
e0aa8ae7c7fee89e05b5f078b4a455bdf44c73a3a0cd32f3cc74ba6a7cb941e7

SHA512
be5f77ed07274eca262cc53abe899ec79b7340d7c4e92c439ff0089cc7610984159a1a2611ff69ffff810ef9f2913844080d812a4cda490e9f0912a0e0d1f19f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
92b2b34d4fa4a31e8738672bc281e43e

SHA1
9bb1a0ff9a236ee78d5c8fe62f2dec5d428bd190

SHA256
e0aa8ae7c7fee89e05b5f078b4a455bdf44c73a3a0cd32f3cc74ba6a7cb941e7

SHA512
be5f77ed07274eca262cc53abe899ec79b7340d7c4e92c439ff0089cc7610984159a1a2611ff69ffff810ef9f2913844080d812a4cda490e9f0912a0e0d1f19f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
92b2b34d4fa4a31e8738672bc281e43e

SHA1
9bb1a0ff9a236ee78d5c8fe62f2dec5d428bd190

SHA256
e0aa8ae7c7fee89e05b5f078b4a455bdf44c73a3a0cd32f3cc74ba6a7cb941e7

SHA512
be5f77ed07274eca262cc53abe899ec79b7340d7c4e92c439ff0089cc7610984159a1a2611ff69ffff810ef9f2913844080d812a4cda490e9f0912a0e0d1f19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat

Filesize
199B

MD5
7849240cb93b26cb512dc2a43283d0c9

SHA1
f5d9404261d3f95d359886205eacae25cf7fd725

SHA256
9f98660723a566b98eec79a1a4c2e460a22554346e4b655366b52b095eb70615

SHA512
efab787638b3a3aa2fe7c9e18c6d57ee896bd83fa555a1e2ec75b752a21938e4656bfd7da396251e18551174d5a1c20bdabffa556031360999fbef097bc4919a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat

Filesize
199B

MD5
13ffe7a6d567c8c0cb1e32a4c6cd4fa0

SHA1
4d96b82f08c0460b861b7b32ec336d5238021314

SHA256
4f69f3da7ac9307e2da995f2bceee733536a3bf9e460ab244d8247a92bc365ab

SHA512
f62ea9def4c89872d4e841882e78b2a47e744b98b50620c8e29b8658d56bd9baf5a42b1d89f7866dbd27dcc36b1b99e2946e8f342775c573a8085a891b6e47ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat

Filesize
199B

MD5
ba40ab6b41348b26a398271eeb437bfa

SHA1
fdfdf142aaf51f33471c4d0f3dbed16792a4238b

SHA256
ff140f784bfad2f21b7f61ba45a4bf1a5d88ee81cf5ae799f24647a5eeece694

SHA512
c0ecbaa6f79aae0e71466400e7de6d9914dbcfbca8f588120c114265b633c49acdf36e79996d8da2bd72f2abcd6b6e7d332c8e768a835ddfc4445b1fb15043ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\HfroAScfQF.bat

Filesize
199B

MD5
83ba4373e0c54ec70336af7b1e59a282

SHA1
f89a3ea9c86cd9cd7021584a651a88b59f054e38

SHA256
d1bceaf9d570df24252a59eedd143ec139bbb6be8084fb8dd914c8c086143f28

SHA512
d90644873692ec98dd673599c8ba899afec8613c734b1184090d889cd2d42ba8ca5e5587545081f30c86275e0ea706c85d6e1addccf34caee44174d010b4fb5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\M820awsdHW.bat

Filesize
199B

MD5
f2900508b31a2070e423a538c23f374f

SHA1
7b0bcd76a4e574b2308720a9f4eaff1690505422

SHA256
fa4113171f37205a828a069bca5953034cb9e26d604d54dd7f8e9df5679a1a88

SHA512
701c1868900e5a824db696bc857f47bc94099f078284f874fdab76598630f727471b8088c4efe4e49b3d4abc9fe545b4c6738922d4fcc48c34912ab7cfedc2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat

Filesize
199B

MD5
1a9ab0070d6f42fc4a1f4bf261ec2612

SHA1
959fda0a88f256ec3f309d5a211b1b25bb5870de

SHA256
511f124e319b53d3f8eac6b15005cb52792bcec61bb396d67ae42a2d5cadae91

SHA512
55e2aae51e1b27bef8ffa0c4d605657875753ea9b78968f04ca165712342557af5908a16bbbf6d95d49420695b7a73d5d9d47df5a8b1b2ec6bb8a7f554d03bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIQ15LoDrx.bat

Filesize
199B

MD5
3b41471f6aa42ed465f57386d36c3c82

SHA1
65f9578af162672bd00d9429dd1e7855ef229bd3

SHA256
fe7d8c4606a68f3e232c06f9791b9e75c24895987055df60e322f324692fca65

SHA512
d73855dc10d06c0e15e261ebca40b3cc141cf8bb72084251721652b8945a185c2fb3b1893be4a157153d2e397ef519f611ff23898bb2d8f93e0a121556dfb095

Download Submit
C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat

Filesize
199B

MD5
8d2fe70c0179aab753164bb90fa983df

SHA1
0937690d5845e51ba98ded4537c6e3e59fdd59c2

SHA256
7f3f853ee656189f7357f44500aad1d973bd71ecd71230014c0f3073c7d7dadb

SHA512
0ad1110c68a74d478edf202bb3d362418779cedfa06d096b60f3fcba4a14047e43d5813e3c077ee3a2a56afb510dd26dd132250e6fed12fd8d8bee0dbc50a5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat

Filesize
199B

MD5
bdb0305ed290a183a4c21008c38289f6

SHA1
c2dd654a780ae83e6618c5339a9845f0ed749b64

SHA256
642891d389de960067679f7e2c6519659a248a681353975a0a9c2e9843ffd6f8

SHA512
1014fe543e38863d945ad3180489630f5d702b86b2bc6fde48bf5188295f181d686d0aa25c39e0b58fbbfd2d614c5e942b954630fc865d8c719076c15a2adaa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat

Filesize
199B

MD5
4996647ad88e67b6490ffe71da9342e2

SHA1
04f1c36d9a998461b3d114b63e453b2b22776cff

SHA256
735ca2d4fb8c31a5cec7a5a26e5ca3a915ae568757e62361c0711275bdf2c106

SHA512
4d0e479db8c34d62b98c9a83151fb247cfa2c82699d76cb34117d23fa1661509f6090b7713f8558e0d95c523e3c85e289de4c08f3a7a1581710cd6c1abb06a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat

Filesize
199B

MD5
9cb69e5ef066ea24b1f3f423ff29901c

SHA1
164441f4838e5399a9776b3515b16e7550ffbfd4

SHA256
d1b9c09205609309845d2560485b05b54623392ccc2d730636933241ecc9c9f1

SHA512
49d1c4a2348584c7db447ab9912e669982d30a2f1e18445e8180e99a73df010a11c24ea416bde4510b5fd423b68bc4baf1b4b5252867e802704b2879a4ff5fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat

Filesize
199B

MD5
9871d9d5f1d0f361497417141882b4c5

SHA1
ed2c53b84a56aecc1c88d59a455abce9f8285210

SHA256
682c2c2ed10dc2415c49f0eac8bd6cbc4fddcea84510b543caabb992352cf5af

SHA512
47093e92ee5cb00bf3f24d713c091084b29b23755c2fe9a1d1ba860b8b483b144a9fa71973c27a53ecdcfea5481ded6653361be9ab252be12aba054cf771db79

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1556-843-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/1800-948-0x00000000014E0000-0x00000000014F2000-memory.dmp

Filesize
72KB

Download
memory/2300-167-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-151-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-121-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-122-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-123-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-125-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-126-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-128-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-129-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-130-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-131-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-132-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-133-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-134-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-135-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-136-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-137-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-138-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-139-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-140-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-141-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-183-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-182-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-142-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-143-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-181-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-144-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-145-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-180-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-179-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-178-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-177-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-176-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-175-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-174-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-173-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-172-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-171-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-170-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-169-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-168-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-120-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-166-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-165-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-164-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-163-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-162-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-161-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-160-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-159-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-158-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-157-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-156-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-155-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-154-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-152-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-153-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-146-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-147-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-148-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-149-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2300-150-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-930-0x0000000000D90000-0x0000000000DA2000-memory.dmp

Filesize
72KB

Download
memory/3320-286-0x00000000006E0000-0x00000000007F0000-memory.dmp

Filesize
1.1MB

Download
memory/3320-290-0x0000000002A90000-0x0000000002A9C000-memory.dmp

Filesize
48KB

Download
memory/3320-289-0x0000000002A80000-0x0000000002A8C000-memory.dmp

Filesize
48KB

Download
memory/3320-288-0x0000000002910000-0x000000000291C000-memory.dmp

Filesize
48KB

Download
memory/3320-287-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/3652-924-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

Filesize
72KB

Download
memory/3664-942-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

Filesize
72KB

Download
memory/3884-314-0x0000015205520000-0x0000015205542000-memory.dmp

Filesize
136KB

Download
memory/3964-936-0x0000000000700000-0x0000000000712000-memory.dmp

Filesize
72KB

Download
memory/4432-185-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4432-186-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-319-0x000001E8EAD80000-0x000001E8EADF6000-memory.dmp

Filesize
472KB

Download
memory/4932-903-0x0000000001130000-0x0000000001142000-memory.dmp

Filesize
72KB

Download