dcrat | bef5ecbaef5696d0aa7d49c12bcc2d014b65cf225d1b710e1af445a722b481f9

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2022, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bef5ecbaef5696d0aa7d49c12bcc2d014b65cf225d1b710e1af445a722b481f9.exe
Size

1.3MB
MD5

70967f3070269dd458fcfbd648b5366f
SHA1

06b31a392e58809e6a86d4b4397af6f00b8f5ff2
SHA256

bef5ecbaef5696d0aa7d49c12bcc2d014b65cf225d1b710e1af445a722b481f9
SHA512

8df19295553339bc62b0bf51c1541080b5c9e7d04e15a8d503acb4cca5be9d62b11dda8be8c2433adf4ddb433e004d2002256382233974598f19ab7b3099ccea
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	2184	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2184	schtasks.exe	83

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0009000000022f6f-137.dat	dcrat
behavioral1/files/0x0009000000022f6f-138.dat	dcrat
behavioral1/memory/1732-139-0x0000000000CE0000-0x0000000000DF0000-memory.dmp	dcrat
behavioral1/files/0x0006000000022fa9-215.dat	dcrat
behavioral1/files/0x0006000000022fa9-216.dat	dcrat
behavioral1/files/0x0006000000022fa9-224.dat	dcrat
behavioral1/files/0x0006000000022fa9-232.dat	dcrat
behavioral1/files/0x0006000000022fa9-239.dat	dcrat
behavioral1/files/0x0006000000022fa9-246.dat	dcrat
behavioral1/files/0x0006000000022fa9-253.dat	dcrat
behavioral1/files/0x0006000000022fa9-260.dat	dcrat
behavioral1/files/0x0006000000022fa9-267.dat	dcrat
behavioral1/files/0x0006000000022fa9-274.dat	dcrat

Executes dropped EXE 10 IoCs

pid	Process
1732	DllCommonsvc.exe
5716	explorer.exe
5952	explorer.exe
3996	explorer.exe
212	explorer.exe
3564	explorer.exe
4200	explorer.exe
456	explorer.exe
756	explorer.exe
64	explorer.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	bef5ecbaef5696d0aa7d49c12bcc2d014b65cf225d1b710e1af445a722b481f9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\es-ES\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\es-ES\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\7a0fd90576e088	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4792	schtasks.exe
2144	schtasks.exe
668	schtasks.exe
5000	schtasks.exe
736	schtasks.exe
4588	schtasks.exe
3076	schtasks.exe
4428	schtasks.exe
4836	schtasks.exe
2560	schtasks.exe
1104	schtasks.exe
4864	schtasks.exe
3484	schtasks.exe
2464	schtasks.exe
3876	schtasks.exe
5108	schtasks.exe
3568	schtasks.exe
2112	schtasks.exe
3708	schtasks.exe
2216	schtasks.exe
1500	schtasks.exe
4952	schtasks.exe
3388	schtasks.exe
4936	schtasks.exe
1908	schtasks.exe
1680	schtasks.exe
5092	schtasks.exe
4120	schtasks.exe
2876	schtasks.exe
4384	schtasks.exe
1984	schtasks.exe
940	schtasks.exe
4964	schtasks.exe
4876	schtasks.exe
5048	schtasks.exe
2160	schtasks.exe
5044	schtasks.exe
4984	schtasks.exe
4716	schtasks.exe
2296	schtasks.exe
4128	schtasks.exe
5060	schtasks.exe
3940	schtasks.exe
3992	schtasks.exe
2504	schtasks.exe
4600	schtasks.exe
3464	schtasks.exe
360	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	bef5ecbaef5696d0aa7d49c12bcc2d014b65cf225d1b710e1af445a722b481f9.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	DllCommonsvc.exe
1732	DllCommonsvc.exe
1732	DllCommonsvc.exe
1732	DllCommonsvc.exe
1732	DllCommonsvc.exe
1732	DllCommonsvc.exe
1732	DllCommonsvc.exe
1732	DllCommonsvc.exe
1732	DllCommonsvc.exe
1732	DllCommonsvc.exe
1732	DllCommonsvc.exe
4920	powershell.exe
4920	powershell.exe
4172	powershell.exe
4172	powershell.exe
4240	powershell.exe
4240	powershell.exe
3360	powershell.exe
3360	powershell.exe
1068	powershell.exe
1068	powershell.exe
1184	powershell.exe
1184	powershell.exe
3104	powershell.exe
3104	powershell.exe
4652	powershell.exe
4652	powershell.exe
2364	powershell.exe
2364	powershell.exe
5004	powershell.exe
5004	powershell.exe
2432	powershell.exe
2432	powershell.exe
4072	powershell.exe
4072	powershell.exe
3496	powershell.exe
3496	powershell.exe
4024	powershell.exe
4024	powershell.exe
1244	powershell.exe
1244	powershell.exe
4216	powershell.exe
4216	powershell.exe
2608	powershell.exe
2608	powershell.exe
4920	powershell.exe
4920	powershell.exe
4240	powershell.exe
1068	powershell.exe
4240	powershell.exe
1068	powershell.exe
4172	powershell.exe
4172	powershell.exe
1184	powershell.exe
1184	powershell.exe
3360	powershell.exe
3360	powershell.exe
4652	powershell.exe
4652	powershell.exe
5004	powershell.exe
3104	powershell.exe
3104	powershell.exe
2364	powershell.exe
3496	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	DllCommonsvc.exe
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	4240	powershell.exe
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	5716	explorer.exe
Token: SeDebugPrivilege	5952	explorer.exe
Token: SeDebugPrivilege	3996	explorer.exe
Token: SeDebugPrivilege	212	explorer.exe
Token: SeDebugPrivilege	3564	explorer.exe
Token: SeDebugPrivilege	4200	explorer.exe
Token: SeDebugPrivilege	456	explorer.exe
Token: SeDebugPrivilege	756	explorer.exe
Token: SeDebugPrivilege	64	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 4584	4328	bef5ecbaef5696d0aa7d49c12bcc2d014b65cf225d1b710e1af445a722b481f9.exe	79
PID 4328 wrote to memory of 4584	4328	bef5ecbaef5696d0aa7d49c12bcc2d014b65cf225d1b710e1af445a722b481f9.exe	79
PID 4328 wrote to memory of 4584	4328	bef5ecbaef5696d0aa7d49c12bcc2d014b65cf225d1b710e1af445a722b481f9.exe	79
PID 4584 wrote to memory of 3084	4584	WScript.exe	84
PID 4584 wrote to memory of 3084	4584	WScript.exe	84
PID 4584 wrote to memory of 3084	4584	WScript.exe	84
PID 3084 wrote to memory of 1732	3084	cmd.exe	86
PID 3084 wrote to memory of 1732	3084	cmd.exe	86
PID 1732 wrote to memory of 3360	1732	DllCommonsvc.exe	136
PID 1732 wrote to memory of 3360	1732	DllCommonsvc.exe	136
PID 1732 wrote to memory of 4920	1732	DllCommonsvc.exe	137
PID 1732 wrote to memory of 4920	1732	DllCommonsvc.exe	137
PID 1732 wrote to memory of 4240	1732	DllCommonsvc.exe	138
PID 1732 wrote to memory of 4240	1732	DllCommonsvc.exe	138
PID 1732 wrote to memory of 4172	1732	DllCommonsvc.exe	140
PID 1732 wrote to memory of 4172	1732	DllCommonsvc.exe	140
PID 1732 wrote to memory of 1068	1732	DllCommonsvc.exe	141
PID 1732 wrote to memory of 1068	1732	DllCommonsvc.exe	141
PID 1732 wrote to memory of 1184	1732	DllCommonsvc.exe	142
PID 1732 wrote to memory of 1184	1732	DllCommonsvc.exe	142
PID 1732 wrote to memory of 5004	1732	DllCommonsvc.exe	145
PID 1732 wrote to memory of 5004	1732	DllCommonsvc.exe	145
PID 1732 wrote to memory of 3104	1732	DllCommonsvc.exe	148
PID 1732 wrote to memory of 3104	1732	DllCommonsvc.exe	148
PID 1732 wrote to memory of 4652	1732	DllCommonsvc.exe	149
PID 1732 wrote to memory of 4652	1732	DllCommonsvc.exe	149
PID 1732 wrote to memory of 3496	1732	DllCommonsvc.exe	150
PID 1732 wrote to memory of 3496	1732	DllCommonsvc.exe	150
PID 1732 wrote to memory of 4072	1732	DllCommonsvc.exe	155
PID 1732 wrote to memory of 4072	1732	DllCommonsvc.exe	155
PID 1732 wrote to memory of 2364	1732	DllCommonsvc.exe	169
PID 1732 wrote to memory of 2364	1732	DllCommonsvc.exe	169
PID 1732 wrote to memory of 2432	1732	DllCommonsvc.exe	157
PID 1732 wrote to memory of 2432	1732	DllCommonsvc.exe	157
PID 1732 wrote to memory of 4024	1732	DllCommonsvc.exe	158
PID 1732 wrote to memory of 4024	1732	DllCommonsvc.exe	158
PID 1732 wrote to memory of 1244	1732	DllCommonsvc.exe	159
PID 1732 wrote to memory of 1244	1732	DllCommonsvc.exe	159
PID 1732 wrote to memory of 4216	1732	DllCommonsvc.exe	164
PID 1732 wrote to memory of 4216	1732	DllCommonsvc.exe	164
PID 1732 wrote to memory of 2608	1732	DllCommonsvc.exe	162
PID 1732 wrote to memory of 2608	1732	DllCommonsvc.exe	162
PID 1732 wrote to memory of 4588	1732	DllCommonsvc.exe	172
PID 1732 wrote to memory of 4588	1732	DllCommonsvc.exe	172
PID 4588 wrote to memory of 5224	4588	cmd.exe	174
PID 4588 wrote to memory of 5224	4588	cmd.exe	174
PID 4588 wrote to memory of 5716	4588	cmd.exe	176
PID 4588 wrote to memory of 5716	4588	cmd.exe	176
PID 5716 wrote to memory of 5860	5716	explorer.exe	177
PID 5716 wrote to memory of 5860	5716	explorer.exe	177
PID 5860 wrote to memory of 5920	5860	cmd.exe	179
PID 5860 wrote to memory of 5920	5860	cmd.exe	179
PID 5860 wrote to memory of 5952	5860	cmd.exe	180
PID 5860 wrote to memory of 5952	5860	cmd.exe	180
PID 5952 wrote to memory of 6060	5952	explorer.exe	181
PID 5952 wrote to memory of 6060	5952	explorer.exe	181
PID 6060 wrote to memory of 6124	6060	cmd.exe	183
PID 6060 wrote to memory of 6124	6060	cmd.exe	183
PID 6060 wrote to memory of 3996	6060	cmd.exe	184
PID 6060 wrote to memory of 3996	6060	cmd.exe	184
PID 3996 wrote to memory of 2292	3996	explorer.exe	185
PID 3996 wrote to memory of 2292	3996	explorer.exe	185
PID 2292 wrote to memory of 4976	2292	cmd.exe	187
PID 2292 wrote to memory of 4976	2292	cmd.exe	187

C:\Users\Admin\AppData\Local\Temp\bef5ecbaef5696d0aa7d49c12bcc2d014b65cf225d1b710e1af445a722b481f9.exe
"C:\Users\Admin\AppData\Local\Temp\bef5ecbaef5696d0aa7d49c12bcc2d014b65cf225d1b710e1af445a722b481f9.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\SppExtComObj.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\es-ES\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AbCNHDKgVP.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4588
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5224
      - C:\Program Files\Google\Chrome\explorer.exe
        
        "C:\Program Files\Google\Chrome\explorer.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5920
        
        C:\Program Files\Google\Chrome\explorer.exe
        
        "C:\Program Files\Google\Chrome\explorer.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:6060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:6124
        
        C:\Program Files\Google\Chrome\explorer.exe
        
        "C:\Program Files\Google\Chrome\explorer.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4976
        
        C:\Program Files\Google\Chrome\explorer.exe
        
        "C:\Program Files\Google\Chrome\explorer.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat"
        13⤵
        
        PID:4380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3232
        
        C:\Program Files\Google\Chrome\explorer.exe
        
        "C:\Program Files\Google\Chrome\explorer.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat"
        15⤵
        
        PID:3200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4456
        
        C:\Program Files\Google\Chrome\explorer.exe
        
        "C:\Program Files\Google\Chrome\explorer.exe"
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat"
        17⤵
        
        PID:3016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:5380
        
        C:\Program Files\Google\Chrome\explorer.exe
        
        "C:\Program Files\Google\Chrome\explorer.exe"
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"
        19⤵
        
        PID:4968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:5536
        
        C:\Program Files\Google\Chrome\explorer.exe
        
        "C:\Program Files\Google\Chrome\explorer.exe"
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"
        21⤵
        
        PID:216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2124
        
        C:\Program Files\Google\Chrome\explorer.exe
        
        "C:\Program Files\Google\Chrome\explorer.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Google\Chrome\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Google\Chrome\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Google\Chrome\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Google\Chrome\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Google\Chrome\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Google\Chrome\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Google\Chrome\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Google\Chrome\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Google\Chrome\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AbCNHDKgVP.bat

Filesize
208B

MD5
ef538c2a422dc8e4d53f9efbb537dd1b

SHA1
80a1ad9e9f40b02265c7fcc953bef66cf8e7a4a3

SHA256
519645e7a9134a3035b750c275fc540dd24e07584219d52cf05ab3118e20db9b

SHA512
39b5a4e33b0ef4d7aab2e3e1177a7832a981674116f2f67fe2c823272908f3eb7330c1a27e9377814cd734478d9bb6ccd952eea21381fc355ef8bee84e088a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat

Filesize
208B

MD5
8b34115c96f9b016a4bf8a1db3eb3d0e

SHA1
db48b880a62de0130eb62ecb5e0d1137102a8eca

SHA256
c24cfb61ab29a5cdaabd2adca1ec090d363e852261a4425bc1245c7e5df1d0ae

SHA512
76415c0f55c87eda6d3cdeebbd863c1b2ff643b6fcdec24806740b308f274a98f677e4ddbf0822f30cd53ae035f736509a9833f1663ed86edab52ec52aa4bb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat

Filesize
208B

MD5
10b7a91654d34e20ca0d87238017aaf2

SHA1
0251102ca2cbbf578c1afe1ac5d7cc269933ff50

SHA256
1a381af4409f8bc89a86829c53096ed32cbf8b9abc23be3263ea06930b9a6c00

SHA512
989a8396c9577ae0dd17c0c56db72f56ae90b8f702e8b06c8c6a474e4ac84f5224acf47197e53c9f0b7909a6b330007f6384547ed6eacbd92245a1473e23dae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat

Filesize
208B

MD5
2361ebd82c1a81c692061e41e31dec10

SHA1
ee086c7a096a74c64c0465c0a08f02a626fc5cc8

SHA256
4cfd74575aebb35a858672ebbbe90a95ba7e1453eb823e207be4f9af5907398d

SHA512
b2dc14256ff5880f8212492095e823c20a23bc247275c68fe8d1553c7ee924f6bcb48c6056ecf994a6a92957a4e498526724d5d83b581652ba1fba3d5595ebec

Download Submit
C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat

Filesize
208B

MD5
67dae7128190ae51dbdc2cdc43c9cf43

SHA1
33c7b882db689a8dc7692207283635e539392a18

SHA256
d530033093240973e8eecd818ed0b30c326e7d30bf5667d5d6385599f4188d4d

SHA512
af4c4935863c36f1ecbf45e3d9591e54b5dc1819103cf3d5e9185d16026d1322106595e9a66fb2f32558249c6b125e52bb44304429783d43a2648cdc7fbda3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat

Filesize
208B

MD5
e81687284afcf47acea2a9fbfc7db9d5

SHA1
5197b21c53fbb72f09d79d54cf4d6c6fa1fcbffb

SHA256
0a6e559559338a7b5b85d2d3f147a67447a0bca3e97a2a85e0e9f6f49c94a0a8

SHA512
b24db4c2e9e4f071a142f8c55032319ca8044fc00573beca0523a46eaf745136a7801d90edf1621ad5241955c0432bca47c7fd46f615fdfba9edd083eacbe096

Download Submit
C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat

Filesize
208B

MD5
7d930bf957bb2d7cb182f55b11472525

SHA1
fd401e52b1b180e79f2630469a9c6c507342b31a

SHA256
068cebcccd432161afaab6a2ef9d791ad0e6b4d22682aaf5ed19afb489f1d30c

SHA512
33725aa9574258d8f0946d42bc6b10ebeeefaace2215f2f4adabf606923c2fed6cdb12760eb7e9dd1aae21d6a6c65965d98b3fe4dc0f75f23a20045e304b560a

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat

Filesize
208B

MD5
cc8b55ea73356ac28527dc8234752475

SHA1
544f3b2d0a6a0eed28cf2c79f03e1d5711d75266

SHA256
9bcfcc2c7fa946c3f7a598c930e10b82c7b9733f604066b9a07967c962a3c2db

SHA512
e19e5f864f6d6743bbdab0154802d9df8c1ba635dca4d08134e52a241737664222442dfa66b9b86a9287563eec99e3e186f9f18f02673723256b3a2f2a04c776

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat

Filesize
208B

MD5
dbde95926b4d4f869b369a28c78b6a9e

SHA1
207027a36dc46d565320093f0aac3b54cf386160

SHA256
e72b16b9254d94295720ae9b47481caf03ebc70be7e2292e0166b005f9d8a401

SHA512
206cc3eeaee28796cf598448bbdc7aefa38210c632f2602f0809aefa90dd421749f09059fbd00c065d590c66b84b1511e2a60b8aff2eb9f096561e18f20d842f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/64-275-0x00007FF85E630000-0x00007FF85F0F1000-memory.dmp

Filesize
10.8MB

Download
memory/212-240-0x00007FF85E430000-0x00007FF85EEF1000-memory.dmp

Filesize
10.8MB

Download
memory/212-244-0x00007FF85E430000-0x00007FF85EEF1000-memory.dmp

Filesize
10.8MB

Download
memory/456-261-0x00007FF85E430000-0x00007FF85EEF1000-memory.dmp

Filesize
10.8MB

Download
memory/456-265-0x00007FF85E430000-0x00007FF85EEF1000-memory.dmp

Filesize
10.8MB

Download
memory/756-272-0x00007FF85E430000-0x00007FF85EEF1000-memory.dmp

Filesize
10.8MB

Download
memory/756-268-0x00007FF85E430000-0x00007FF85EEF1000-memory.dmp

Filesize
10.8MB

Download
memory/1068-184-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/1068-164-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/1184-162-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/1184-189-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/1244-172-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/1244-211-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/1732-166-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/1732-139-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

Filesize
1.1MB

Download
memory/1732-140-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/2364-207-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/2364-170-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/2432-201-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/2432-171-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/2608-174-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/2608-213-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/3104-195-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/3104-165-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/3360-193-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/3360-168-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/3496-169-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/3496-210-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/3564-251-0x00007FF85E430000-0x00007FF85EEF1000-memory.dmp

Filesize
10.8MB

Download
memory/3564-247-0x00007FF85E430000-0x00007FF85EEF1000-memory.dmp

Filesize
10.8MB

Download
memory/3996-235-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/3996-233-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/4024-178-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/4024-209-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/4072-204-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/4072-177-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/4172-191-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/4172-161-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/4200-254-0x00007FF85E430000-0x00007FF85EEF1000-memory.dmp

Filesize
10.8MB

Download
memory/4200-257-0x00007FF85E430000-0x00007FF85EEF1000-memory.dmp

Filesize
10.8MB

Download
memory/4216-179-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/4216-212-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/4240-186-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/4240-160-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/4652-190-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/4652-175-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/4920-159-0x0000018870180000-0x00000188701A2000-memory.dmp

Filesize
136KB

Download
memory/4920-180-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/4920-157-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/5004-203-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/5004-167-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/5716-217-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/5716-222-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/5716-218-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/5952-226-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download
memory/5952-230-0x00007FF85E380000-0x00007FF85EE41000-memory.dmp

Filesize
10.8MB

Download