dcrat | 24c0d3e40f493f1f5706ed5fbb62230b58c7af5964a50b57452222d744520210

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24c0d3e40f493f1f5706ed5fbb62230b58c7af5964a50b57452222d744520210.exe
Size

1.3MB
MD5

38810c1f555f437c27ca186865f42cd1
SHA1

f57c2dbc190ab1e7b8e25e5dc08ca46c7a5bc036
SHA256

24c0d3e40f493f1f5706ed5fbb62230b58c7af5964a50b57452222d744520210
SHA512

9a4d0e74f4f43c3347c128cd82b7152214d76a964463533b8153c922f43904a9f63253697616931626597cdf2427e230384811a75e3751ad4658ff9746e1e495
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	2148	schtasks.exe	39
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	2148	schtasks.exe	39

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000b00000002171d-137.dat	dcrat
behavioral1/files/0x000b00000002171d-138.dat	dcrat
behavioral1/memory/4528-139-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat
behavioral1/files/0x000b00000002171d-152.dat	dcrat
behavioral1/files/0x0006000000022e6f-229.dat	dcrat
behavioral1/files/0x0006000000022e6f-228.dat	dcrat
behavioral1/files/0x0006000000022e6f-236.dat	dcrat
behavioral1/files/0x0006000000022e6f-244.dat	dcrat
behavioral1/files/0x0006000000022e6f-251.dat	dcrat
behavioral1/files/0x0006000000022e6f-258.dat	dcrat
behavioral1/files/0x0006000000022e6f-265.dat	dcrat
behavioral1/files/0x0006000000022e6f-272.dat	dcrat
behavioral1/files/0x0006000000022e6f-279.dat	dcrat
behavioral1/files/0x0006000000022e6f-286.dat	dcrat
behavioral1/files/0x0006000000022e6f-293.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
4528	DllCommonsvc.exe
4436	Conhost.exe
4564	conhost.exe
4760	conhost.exe
3188	conhost.exe
4028	conhost.exe
672	conhost.exe
4772	conhost.exe
1180	conhost.exe
4532	conhost.exe
1856	conhost.exe
4356	conhost.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	24c0d3e40f493f1f5706ed5fbb62230b58c7af5964a50b57452222d744520210.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	conhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\winlogon.exe	Conhost.exe
File created	C:\Program Files\VideoLAN\sppsvc.exe	Conhost.exe
File created	C:\Program Files\VideoLAN\0a1fd5f707cd16	Conhost.exe
File created	C:\Program Files\Mozilla Firefox\fonts\explorer.exe	Conhost.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\cc11b995f2a76d	Conhost.exe
File created	C:\Program Files\Mozilla Firefox\fonts\7a0fd90576e088	Conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
848	schtasks.exe
1388	schtasks.exe
4876	schtasks.exe
3676	schtasks.exe
2560	schtasks.exe
4892	schtasks.exe
3376	schtasks.exe
3656	schtasks.exe
4696	schtasks.exe
864	schtasks.exe
4260	schtasks.exe
4784	schtasks.exe
1668	schtasks.exe
3488	schtasks.exe
4696	schtasks.exe
4724	schtasks.exe
4148	schtasks.exe
4572	schtasks.exe
2872	schtasks.exe
4532	schtasks.exe
4524	schtasks.exe
220	schtasks.exe
4156	schtasks.exe
60	schtasks.exe
4184	schtasks.exe
3376	schtasks.exe
4876	schtasks.exe
4136	schtasks.exe
2348	schtasks.exe
1712	schtasks.exe
1544	schtasks.exe
3464	schtasks.exe
4504	schtasks.exe
2180	schtasks.exe
4432	schtasks.exe
4292	schtasks.exe
4172	schtasks.exe
4284	schtasks.exe
3192	schtasks.exe
812	schtasks.exe
2412	schtasks.exe
4316	schtasks.exe
4708	schtasks.exe
3144	schtasks.exe
1164	schtasks.exe
3632	schtasks.exe
4724	schtasks.exe
2316	schtasks.exe
1072	schtasks.exe
3100	schtasks.exe
3620	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	Conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	24c0d3e40f493f1f5706ed5fbb62230b58c7af5964a50b57452222d744520210.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4528	DllCommonsvc.exe
4528	DllCommonsvc.exe
4528	DllCommonsvc.exe
4528	DllCommonsvc.exe
4528	DllCommonsvc.exe
4528	DllCommonsvc.exe
4528	DllCommonsvc.exe
4528	DllCommonsvc.exe
4528	DllCommonsvc.exe
4528	DllCommonsvc.exe
4528	DllCommonsvc.exe
4528	DllCommonsvc.exe
4528	DllCommonsvc.exe
4528	DllCommonsvc.exe
4528	DllCommonsvc.exe
4924	powershell.exe
4924	powershell.exe
3444	powershell.exe
3444	powershell.exe
4928	powershell.exe
4928	powershell.exe
2968	powershell.exe
2968	powershell.exe
3448	powershell.exe
1888	powershell.exe
1888	powershell.exe
3448	powershell.exe
2320	powershell.exe
2320	powershell.exe
1404	powershell.exe
1404	powershell.exe
2752	powershell.exe
2752	powershell.exe
4196	powershell.exe
4196	powershell.exe
4436	Conhost.exe
4436	Conhost.exe
4196	powershell.exe
4928	powershell.exe
2752	powershell.exe
1404	powershell.exe
2320	powershell.exe
3448	powershell.exe
1888	powershell.exe
2968	powershell.exe
3444	powershell.exe
4924	powershell.exe
4436	Conhost.exe
4436	Conhost.exe
4436	Conhost.exe
4436	Conhost.exe
4436	Conhost.exe
4436	Conhost.exe
2084	powershell.exe
5084	powershell.exe
4260	powershell.exe
2084	powershell.exe
2832	powershell.exe
2832	powershell.exe
3928	powershell.exe
3928	powershell.exe
4236	powershell.exe
4236	powershell.exe
3520	powershell.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	DllCommonsvc.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	4436	Conhost.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	4236	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	4564	conhost.exe
Token: SeDebugPrivilege	4760	conhost.exe
Token: SeDebugPrivilege	3188	conhost.exe
Token: SeDebugPrivilege	4028	conhost.exe
Token: SeDebugPrivilege	672	conhost.exe
Token: SeDebugPrivilege	4772	conhost.exe
Token: SeDebugPrivilege	1180	conhost.exe
Token: SeDebugPrivilege	4532	conhost.exe
Token: SeDebugPrivilege	1856	conhost.exe
Token: SeDebugPrivilege	4356	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 684	4172	24c0d3e40f493f1f5706ed5fbb62230b58c7af5964a50b57452222d744520210.exe	80
PID 4172 wrote to memory of 684	4172	24c0d3e40f493f1f5706ed5fbb62230b58c7af5964a50b57452222d744520210.exe	80
PID 4172 wrote to memory of 684	4172	24c0d3e40f493f1f5706ed5fbb62230b58c7af5964a50b57452222d744520210.exe	80
PID 684 wrote to memory of 5020	684	WScript.exe	81
PID 684 wrote to memory of 5020	684	WScript.exe	81
PID 684 wrote to memory of 5020	684	WScript.exe	81
PID 5020 wrote to memory of 4528	5020	cmd.exe	83
PID 5020 wrote to memory of 4528	5020	cmd.exe	83
PID 4528 wrote to memory of 3448	4528	DllCommonsvc.exe	111
PID 4528 wrote to memory of 3448	4528	DllCommonsvc.exe	111
PID 4528 wrote to memory of 3444	4528	DllCommonsvc.exe	112
PID 4528 wrote to memory of 3444	4528	DllCommonsvc.exe	112
PID 4528 wrote to memory of 2968	4528	DllCommonsvc.exe	117
PID 4528 wrote to memory of 2968	4528	DllCommonsvc.exe	117
PID 4528 wrote to memory of 4924	4528	DllCommonsvc.exe	116
PID 4528 wrote to memory of 4924	4528	DllCommonsvc.exe	116
PID 4528 wrote to memory of 4928	4528	DllCommonsvc.exe	115
PID 4528 wrote to memory of 4928	4528	DllCommonsvc.exe	115
PID 4528 wrote to memory of 1888	4528	DllCommonsvc.exe	119
PID 4528 wrote to memory of 1888	4528	DllCommonsvc.exe	119
PID 4528 wrote to memory of 4196	4528	DllCommonsvc.exe	121
PID 4528 wrote to memory of 4196	4528	DllCommonsvc.exe	121
PID 4528 wrote to memory of 2320	4528	DllCommonsvc.exe	123
PID 4528 wrote to memory of 2320	4528	DllCommonsvc.exe	123
PID 4528 wrote to memory of 2752	4528	DllCommonsvc.exe	126
PID 4528 wrote to memory of 2752	4528	DllCommonsvc.exe	126
PID 4528 wrote to memory of 1404	4528	DllCommonsvc.exe	127
PID 4528 wrote to memory of 1404	4528	DllCommonsvc.exe	127
PID 4528 wrote to memory of 4436	4528	DllCommonsvc.exe	186
PID 4528 wrote to memory of 4436	4528	DllCommonsvc.exe	186
PID 4436 wrote to memory of 2084	4436	Conhost.exe	149
PID 4436 wrote to memory of 2084	4436	Conhost.exe	149
PID 4436 wrote to memory of 5084	4436	Conhost.exe	166
PID 4436 wrote to memory of 5084	4436	Conhost.exe	166
PID 4436 wrote to memory of 4260	4436	Conhost.exe	164
PID 4436 wrote to memory of 4260	4436	Conhost.exe	164
PID 4436 wrote to memory of 3928	4436	Conhost.exe	163
PID 4436 wrote to memory of 3928	4436	Conhost.exe	163
PID 4436 wrote to memory of 2832	4436	Conhost.exe	161
PID 4436 wrote to memory of 2832	4436	Conhost.exe	161
PID 4436 wrote to memory of 4236	4436	Conhost.exe	159
PID 4436 wrote to memory of 4236	4436	Conhost.exe	159
PID 4436 wrote to memory of 3520	4436	Conhost.exe	157
PID 4436 wrote to memory of 3520	4436	Conhost.exe	157
PID 4436 wrote to memory of 3320	4436	Conhost.exe	156
PID 4436 wrote to memory of 3320	4436	Conhost.exe	156
PID 4436 wrote to memory of 2820	4436	Conhost.exe	154
PID 4436 wrote to memory of 2820	4436	Conhost.exe	154
PID 4436 wrote to memory of 3868	4436	Conhost.exe	173
PID 4436 wrote to memory of 3868	4436	Conhost.exe	173
PID 3868 wrote to memory of 1392	3868	cmd.exe	176
PID 3868 wrote to memory of 1392	3868	cmd.exe	176
PID 3868 wrote to memory of 4564	3868	cmd.exe	181
PID 3868 wrote to memory of 4564	3868	cmd.exe	181
PID 4564 wrote to memory of 3056	4564	conhost.exe	185
PID 4564 wrote to memory of 3056	4564	conhost.exe	185
PID 3056 wrote to memory of 1372	3056	cmd.exe	187
PID 3056 wrote to memory of 1372	3056	cmd.exe	187
PID 3056 wrote to memory of 4760	3056	cmd.exe	188
PID 3056 wrote to memory of 4760	3056	cmd.exe	188
PID 4760 wrote to memory of 4640	4760	conhost.exe	191
PID 4760 wrote to memory of 4640	4760	conhost.exe	191
PID 4640 wrote to memory of 3384	4640	cmd.exe	190
PID 4640 wrote to memory of 3384	4640	cmd.exe	190

C:\Users\Admin\AppData\Local\Temp\24c0d3e40f493f1f5706ed5fbb62230b58c7af5964a50b57452222d744520210.exe
"C:\Users\Admin\AppData\Local\Temp\24c0d3e40f493f1f5706ed5fbb62230b58c7af5964a50b57452222d744520210.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\upfc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        
        PID:4436
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\explorer.exe'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3320
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\sppsvc.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\taskhostw.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DllCommonsvc.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y79pv21a36.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1392
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1372
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bDGJqXcsCJ.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat"
        12⤵
        
        PID:444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4260
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"
        14⤵
        
        PID:5100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4148
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"
        16⤵
        
        PID:2132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3632
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"
        18⤵
        
        PID:4944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4092
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat"
        20⤵
        
        PID:3612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2288
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        21⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat"
        22⤵
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4940
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        23⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"
        24⤵
        
        PID:3956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4536
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        25⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat"
        26⤵
        
        PID:3972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\odt\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\fonts\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\fonts\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4c557aa00dc4a6ff86db4be1735e9d30

SHA1
7c155ad08e280926832bdad0aa948843de2ce5a2

SHA256
aad198f453bdcef5e479c7e622c005782f94d0b391798245284aad9506fa7e48

SHA512
2c311b272941308197e3f2fe9d961dda9682dfd514cc48bc63b156afb0d18cace8635f0d080b9f77ed43e67b551232a6fb5b86e88c2414f8bd2f32cbe5521ae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4c557aa00dc4a6ff86db4be1735e9d30

SHA1
7c155ad08e280926832bdad0aa948843de2ce5a2

SHA256
aad198f453bdcef5e479c7e622c005782f94d0b391798245284aad9506fa7e48

SHA512
2c311b272941308197e3f2fe9d961dda9682dfd514cc48bc63b156afb0d18cace8635f0d080b9f77ed43e67b551232a6fb5b86e88c2414f8bd2f32cbe5521ae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
51cf8df21f531e31f7740b4ec487a48a

SHA1
40c6a73b22d71625a62df109aefc92a5f9b9d13e

SHA256
263d9b98a897d1d66da4832af640c4bf5ab0ae91125ba12243453dfe714f3d0d

SHA512
57a85461f6ea96b26a8b53d3a9cca18543e4ddbe996e8f412fc4cf7cf6e9ffe558c96da7b322a42f18bef62020e65aee119bed6102f75e2f605df09b02ec6368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
51cf8df21f531e31f7740b4ec487a48a

SHA1
40c6a73b22d71625a62df109aefc92a5f9b9d13e

SHA256
263d9b98a897d1d66da4832af640c4bf5ab0ae91125ba12243453dfe714f3d0d

SHA512
57a85461f6ea96b26a8b53d3a9cca18543e4ddbe996e8f412fc4cf7cf6e9ffe558c96da7b322a42f18bef62020e65aee119bed6102f75e2f605df09b02ec6368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
150616521d490e160cd33b97d678d206

SHA1
71594f5b97a4a61fe5f120eb10bcd6b73d7e6e78

SHA256
94595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827

SHA512
7043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
150616521d490e160cd33b97d678d206

SHA1
71594f5b97a4a61fe5f120eb10bcd6b73d7e6e78

SHA256
94595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827

SHA512
7043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bf3651a8682259b5e292b98289271f76

SHA1
4694a32734c377985dafbd15e26b9a129f1e4a45

SHA256
5ffc07abea05b9bb523e511ed75995488a22e3dd54fddc50b62b8336bd57c575

SHA512
d9cd369fc710131f0f24c3add83a923625831b1bfb4fba0da83dd71fa41a4ed5a0f0e00755f3cf8ae2aef4aa498c353348c51c167f7d6a2af834f07c78b33896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
145039ee65251da29aa337556cab6c61

SHA1
5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

SHA256
26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

SHA512
d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat

Filesize
194B

MD5
56ce546cbabbd81c38cf81da4ece09cd

SHA1
de4aa2b36057732178a5ffa023d47459fd62de7e

SHA256
4589f90648bc4778219f877d25fc09d1d1b4900b7d83a2fe55e981ccb54e3fd9

SHA512
0633e4e2a04421671531bceec1d9a16338b34f2c1fae9a61a981416259b381594a1c2fba13b757b0ed31a8190bbcbca78f25ca8c2ddf37dc014aa0dc96c29211

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat

Filesize
194B

MD5
9934ded6ca764ab29c2dc69f7f54df6f

SHA1
0cae11b5a81dc07ecf276b6be02687f497b6725d

SHA256
42af76a0c47c8c90c9a676752d92cc0173d262381bddbf3e6d5afd5314bdaab5

SHA512
25feff88cbe29337cd1008a39843ba54ed89993fbe1608a3df63e306e5fe6a73d278b83498354140f8f36f1cd6706f1ec708ed3cd614847a5001c309348f4666

Download Submit
C:\Users\Admin\AppData\Local\Temp\bDGJqXcsCJ.bat

Filesize
194B

MD5
404f6b174aa951a044c6edda3af2823a

SHA1
9c1e2fc525fc3256da69f47938c0589f3de3a024

SHA256
f2af8bb2f55fe0e47306e55170d4db1027f5703bd7f1264047a6679ff2f335cd

SHA512
da617545b6603c8a8862b71c2e31fb4a12b0774044c145896773570dd643594db5960c83f4843eb9349c291cc4b9d42fa81efac4705167e8fc77c20088977338

Download Submit
C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat

Filesize
194B

MD5
31d9df1b0af475fd8e141bfe6c74aad3

SHA1
87affefbbb03ab659618fda0e61c60db83eae29b

SHA256
e6d97e53b74c80e405e17f6bb7c6c61f38ee7dc15df491aa5f2ec61009217c3e

SHA512
be2b8807b5e5c46342ce08e67d378fbed958a54d5000787e14e13553861c28170c8c1bef6541e4cf02f67a7c12501b92f966b1e9d3bf9058a94e2b8ec94d68ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat

Filesize
194B

MD5
57976d3bf4fdbae4adc18a67b14f3a0c

SHA1
23c45e36aab45f29fb36e8979c25aa3f6a278dd9

SHA256
da3a9760f0594683988897ea9efd7600b4c5ec3e923d8bc59eb59bdc9d5bc8c2

SHA512
95eeb83f2cec3d933708eaf02d6cd1bddae51fcf6261df785046e21ede93992d617ad6d261f02760dbfcfcc27cd756b5ecbd9069e17b274ca65cd1422173033a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat

Filesize
194B

MD5
6914723b88d016ffeb0a28ddbaf23275

SHA1
92b20cba9138d54d5dbe97b3dcf02f8b2d3f34b8

SHA256
3c955d19bd61998eb952464c1e8588a9ff30360fa3c11adbc9fd9fd5c788de8d

SHA512
3287b8d0fc5efec0525c49afe4d67002844ba60008d19eacdfffccd95e166f91e13014638a0d6983e254388505dbe442956c9bb366e637555a3f3ba13c4abe87

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat

Filesize
194B

MD5
ee5fbc3bbd8eb7f6c0362f1a5f0d90a9

SHA1
8aa6c22ff7c7680a9a4739156ef2780acb9f3a74

SHA256
e1efd0c8fc0f59dc870bc2bae585708f252e2348a36e55a87409e7be75c67132

SHA512
3fb05708860d2f5696c06b6a2d79ad4f0ae602b67c248911cfc2145228ccf95b7602df0a02dc59db922c04ff2eaa384fd76efadd62d08a43cbac9371801542b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat

Filesize
194B

MD5
8123300ef08da8562ed2a984909e54ca

SHA1
ebe4be169c4913f2d86343d9746e27adb26184ab

SHA256
633540044723ba8194686fcdd6b8b16352c8eb6838983154cb197c625af97f4c

SHA512
fdb22b15441df05d1c847eaf584dec99c06e23abaf01132dbaa75206d6ea20819b8652fa29e1548ce7cacd29bbdae1317c63bee5dbae9b28778b792792b193c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat

Filesize
194B

MD5
8123300ef08da8562ed2a984909e54ca

SHA1
ebe4be169c4913f2d86343d9746e27adb26184ab

SHA256
633540044723ba8194686fcdd6b8b16352c8eb6838983154cb197c625af97f4c

SHA512
fdb22b15441df05d1c847eaf584dec99c06e23abaf01132dbaa75206d6ea20819b8652fa29e1548ce7cacd29bbdae1317c63bee5dbae9b28778b792792b193c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat

Filesize
194B

MD5
9b2d11eeb9e3884f9328288489d968fc

SHA1
9ab79cb7fb5d4685d9c0497619078f32c9c38a83

SHA256
d9804c483b367ab6a7f22341f4f107bbe387d8ff9ef683f75593c8d6808b6fbe

SHA512
99d4a363503aadd5dd580b2fdac7c115a049917dc23315af14ca6fed592a7e70cc97fc5be51b834ea5d67608ef98cf3dee2ed1799416c417a7d62abf2d20ab4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\y79pv21a36.bat

Filesize
194B

MD5
39fe70fbd1c860aa27a2d4c5667d06e1

SHA1
446aedcce33a39e7124b5f7f8e86fc2c0ef2840e

SHA256
4775246ab1e29838cebed65afe8a9560ec65d604c9a6e768a63bf71a72a4a877

SHA512
57d906dae38671f272cb81a29482d24b0a272baa233c4e26bc61eafe10515a1762fe056c0ca822f4b9e2b33bbda5785c3d0e80b50ec1b5d77de5039b1d7eb739

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/672-259-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/672-263-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/1180-277-0x00007FFBDBF20000-0x00007FFBDC9E1000-memory.dmp

Filesize
10.8MB

Download
memory/1180-273-0x00007FFBDBF20000-0x00007FFBDC9E1000-memory.dmp

Filesize
10.8MB

Download
memory/1404-163-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/1404-184-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/1856-287-0x00007FFBDBF20000-0x00007FFBDC9E1000-memory.dmp

Filesize
10.8MB

Download
memory/1856-291-0x00007FFBDBF20000-0x00007FFBDC9E1000-memory.dmp

Filesize
10.8MB

Download
memory/1888-180-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/1888-160-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/2084-195-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/2084-210-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/2320-165-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/2320-179-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/2752-164-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/2752-177-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/2820-205-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/2820-218-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/2832-208-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/2832-224-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/2968-158-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/2968-176-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3188-245-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3188-249-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3320-214-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3320-203-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3444-182-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3444-154-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3448-161-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3448-183-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3520-209-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3520-226-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3928-200-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/3928-223-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4028-252-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4028-256-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4196-162-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4196-175-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4236-202-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4236-221-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4260-217-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4260-199-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4356-294-0x00007FFBDBF20000-0x00007FFBDC9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4356-298-0x00007FFBDBF20000-0x00007FFBDC9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4436-204-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4436-166-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4528-157-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4528-139-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/4528-140-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4532-284-0x00007FFBDBF20000-0x00007FFBDC9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4532-280-0x00007FFBDBF20000-0x00007FFBDC9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4564-230-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4564-234-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-242-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-238-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4772-266-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4772-270-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4924-156-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4924-186-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4928-178-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4928-159-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4928-153-0x000001BC7F3E0000-0x000001BC7F402000-memory.dmp

Filesize
136KB

Download
memory/5084-213-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download
memory/5084-196-0x00007FFBDBD10000-0x00007FFBDC7D1000-memory.dmp

Filesize
10.8MB

Download