dcrat | 7a82d05e45bdb0a28cefe82a914c289a74aa7cc79c0eb2f8dc1d860839f0ec86

Analysis

max time kernel
148s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 18:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7a82d05e45bdb0a28cefe82a914c289a74aa7cc79c0eb2f8dc1d860839f0ec86.exe
Size

1.3MB
MD5

1e4b77f3baf9289b134fc6892752d392
SHA1

0e174e674629de1677a5f439808cc0b2a587f340
SHA256

7a82d05e45bdb0a28cefe82a914c289a74aa7cc79c0eb2f8dc1d860839f0ec86
SHA512

9792dba33e03a466320b52c23c17ca0bf79395063920312c64c776f4a76f66969ac4846756177690ca1c847e86eaf724902288c2bf2269989bd51c033d637593
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	312	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	3684	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	3684	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000400000001ac07-284.dat	dcrat
behavioral1/files/0x000400000001ac07-285.dat	dcrat
behavioral1/memory/3912-286-0x0000000000AD0000-0x0000000000BE0000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac21-360.dat	dcrat
behavioral1/files/0x000600000001ac21-361.dat	dcrat
behavioral1/files/0x000600000001ac21-931.dat	dcrat
behavioral1/files/0x000600000001ac21-938.dat	dcrat
behavioral1/files/0x000600000001ac21-944.dat	dcrat
behavioral1/files/0x000600000001ac21-949.dat	dcrat
behavioral1/files/0x000600000001ac21-954.dat	dcrat
behavioral1/files/0x000600000001ac21-959.dat	dcrat
behavioral1/files/0x000600000001ac21-964.dat	dcrat
behavioral1/files/0x000600000001ac21-970.dat	dcrat
behavioral1/files/0x000600000001ac21-975.dat	dcrat
behavioral1/files/0x000600000001ac21-981.dat	dcrat
behavioral1/files/0x000600000001ac21-986.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
3912	DllCommonsvc.exe
4716	ShellExperienceHost.exe
5192	ShellExperienceHost.exe
4444	ShellExperienceHost.exe
5236	ShellExperienceHost.exe
5948	ShellExperienceHost.exe
4844	ShellExperienceHost.exe
4768	ShellExperienceHost.exe
4300	ShellExperienceHost.exe
5832	ShellExperienceHost.exe
3992	ShellExperienceHost.exe
4232	ShellExperienceHost.exe
3792	ShellExperienceHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Security\BrowserCore\en-US\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\System.exe	DllCommonsvc.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\Application\f8c8f1285d826b	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\56085415360792	DllCommonsvc.exe
File created	C:\Windows\CbsTemp\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\smss.exe	DllCommonsvc.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\CbsTemp\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Media\Calligraphy\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\Media\Calligraphy\5b884080fd4f94	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1272	schtasks.exe
3876	schtasks.exe
860	schtasks.exe
3252	schtasks.exe
5068	schtasks.exe
4536	schtasks.exe
4752	schtasks.exe
4448	schtasks.exe
3816	schtasks.exe
1812	schtasks.exe
32	schtasks.exe
3088	schtasks.exe
4160	schtasks.exe
4428	schtasks.exe
312	schtasks.exe
2208	schtasks.exe
3724	schtasks.exe
532	schtasks.exe
1464	schtasks.exe
1644	schtasks.exe
5088	schtasks.exe
4652	schtasks.exe
3136	schtasks.exe
1436	schtasks.exe
2172	schtasks.exe
628	schtasks.exe
4552	schtasks.exe
4592	schtasks.exe
3632	schtasks.exe
3720	schtasks.exe
828	schtasks.exe
1628	schtasks.exe
316	schtasks.exe
2312	schtasks.exe
4620	schtasks.exe
4528	schtasks.exe
2384	schtasks.exe
4776	schtasks.exe
3304	schtasks.exe
1060	schtasks.exe
1692	schtasks.exe
1256	schtasks.exe
1956	schtasks.exe
5056	schtasks.exe
4780	schtasks.exe
2396	schtasks.exe
688	schtasks.exe
668	schtasks.exe
1888	schtasks.exe
4988	schtasks.exe
4640	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	7a82d05e45bdb0a28cefe82a914c289a74aa7cc79c0eb2f8dc1d860839f0ec86.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	ShellExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3912	DllCommonsvc.exe
3912	DllCommonsvc.exe
3912	DllCommonsvc.exe
3912	DllCommonsvc.exe
3912	DllCommonsvc.exe
1792	powershell.exe
1792	powershell.exe
2772	powershell.exe
2772	powershell.exe
2732	powershell.exe
2732	powershell.exe
3376	powershell.exe
3376	powershell.exe
2680	powershell.exe
2680	powershell.exe
3856	powershell.exe
3856	powershell.exe
4856	powershell.exe
4856	powershell.exe
4816	powershell.exe
4816	powershell.exe
1948	powershell.exe
1948	powershell.exe
4052	powershell.exe
4052	powershell.exe
3512	powershell.exe
3512	powershell.exe
2992	powershell.exe
2992	powershell.exe
1208	powershell.exe
1208	powershell.exe
1392	powershell.exe
1392	powershell.exe
4944	powershell.exe
4944	powershell.exe
4928	powershell.exe
4928	powershell.exe
4964	powershell.exe
4964	powershell.exe
3512	powershell.exe
4864	powershell.exe
4864	powershell.exe
1208	powershell.exe
4716	ShellExperienceHost.exe
4716	ShellExperienceHost.exe
4928	powershell.exe
4944	powershell.exe
4964	powershell.exe
1792	powershell.exe
1792	powershell.exe
3856	powershell.exe
2772	powershell.exe
2772	powershell.exe
2732	powershell.exe
2732	powershell.exe
3376	powershell.exe
3512	powershell.exe
1208	powershell.exe
2680	powershell.exe
4052	powershell.exe
4856	powershell.exe
4816	powershell.exe
4928	powershell.exe
2992	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3912	DllCommonsvc.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4716	ShellExperienceHost.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeIncreaseQuotaPrivilege	4928	powershell.exe
Token: SeSecurityPrivilege	4928	powershell.exe
Token: SeTakeOwnershipPrivilege	4928	powershell.exe
Token: SeLoadDriverPrivilege	4928	powershell.exe
Token: SeSystemProfilePrivilege	4928	powershell.exe
Token: SeSystemtimePrivilege	4928	powershell.exe
Token: SeProfSingleProcessPrivilege	4928	powershell.exe
Token: SeIncBasePriorityPrivilege	4928	powershell.exe
Token: SeCreatePagefilePrivilege	4928	powershell.exe
Token: SeBackupPrivilege	4928	powershell.exe
Token: SeRestorePrivilege	4928	powershell.exe
Token: SeShutdownPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeSystemEnvironmentPrivilege	4928	powershell.exe
Token: SeRemoteShutdownPrivilege	4928	powershell.exe
Token: SeUndockPrivilege	4928	powershell.exe
Token: SeManageVolumePrivilege	4928	powershell.exe
Token: 33	4928	powershell.exe
Token: 34	4928	powershell.exe
Token: 35	4928	powershell.exe
Token: 36	4928	powershell.exe
Token: SeIncreaseQuotaPrivilege	4964	powershell.exe
Token: SeSecurityPrivilege	4964	powershell.exe
Token: SeTakeOwnershipPrivilege	4964	powershell.exe
Token: SeLoadDriverPrivilege	4964	powershell.exe
Token: SeSystemProfilePrivilege	4964	powershell.exe
Token: SeSystemtimePrivilege	4964	powershell.exe
Token: SeProfSingleProcessPrivilege	4964	powershell.exe
Token: SeIncBasePriorityPrivilege	4964	powershell.exe
Token: SeCreatePagefilePrivilege	4964	powershell.exe
Token: SeBackupPrivilege	4964	powershell.exe
Token: SeRestorePrivilege	4964	powershell.exe
Token: SeShutdownPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeSystemEnvironmentPrivilege	4964	powershell.exe
Token: SeRemoteShutdownPrivilege	4964	powershell.exe
Token: SeUndockPrivilege	4964	powershell.exe
Token: SeManageVolumePrivilege	4964	powershell.exe
Token: 33	4964	powershell.exe
Token: 34	4964	powershell.exe
Token: 35	4964	powershell.exe
Token: 36	4964	powershell.exe
Token: SeIncreaseQuotaPrivilege	1208	powershell.exe
Token: SeSecurityPrivilege	1208	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 2036	4808	7a82d05e45bdb0a28cefe82a914c289a74aa7cc79c0eb2f8dc1d860839f0ec86.exe	66
PID 4808 wrote to memory of 2036	4808	7a82d05e45bdb0a28cefe82a914c289a74aa7cc79c0eb2f8dc1d860839f0ec86.exe	66
PID 4808 wrote to memory of 2036	4808	7a82d05e45bdb0a28cefe82a914c289a74aa7cc79c0eb2f8dc1d860839f0ec86.exe	66
PID 2036 wrote to memory of 704	2036	WScript.exe	67
PID 2036 wrote to memory of 704	2036	WScript.exe	67
PID 2036 wrote to memory of 704	2036	WScript.exe	67
PID 704 wrote to memory of 3912	704	cmd.exe	69
PID 704 wrote to memory of 3912	704	cmd.exe	69
PID 3912 wrote to memory of 1792	3912	DllCommonsvc.exe	122
PID 3912 wrote to memory of 1792	3912	DllCommonsvc.exe	122
PID 3912 wrote to memory of 2772	3912	DllCommonsvc.exe	123
PID 3912 wrote to memory of 2772	3912	DllCommonsvc.exe	123
PID 3912 wrote to memory of 2732	3912	DllCommonsvc.exe	124
PID 3912 wrote to memory of 2732	3912	DllCommonsvc.exe	124
PID 3912 wrote to memory of 3376	3912	DllCommonsvc.exe	125
PID 3912 wrote to memory of 3376	3912	DllCommonsvc.exe	125
PID 3912 wrote to memory of 2680	3912	DllCommonsvc.exe	126
PID 3912 wrote to memory of 2680	3912	DllCommonsvc.exe	126
PID 3912 wrote to memory of 3856	3912	DllCommonsvc.exe	127
PID 3912 wrote to memory of 3856	3912	DllCommonsvc.exe	127
PID 3912 wrote to memory of 4816	3912	DllCommonsvc.exe	129
PID 3912 wrote to memory of 4816	3912	DllCommonsvc.exe	129
PID 3912 wrote to memory of 4856	3912	DllCommonsvc.exe	130
PID 3912 wrote to memory of 4856	3912	DllCommonsvc.exe	130
PID 3912 wrote to memory of 1948	3912	DllCommonsvc.exe	137
PID 3912 wrote to memory of 1948	3912	DllCommonsvc.exe	137
PID 3912 wrote to memory of 4052	3912	DllCommonsvc.exe	138
PID 3912 wrote to memory of 4052	3912	DllCommonsvc.exe	138
PID 3912 wrote to memory of 3512	3912	DllCommonsvc.exe	142
PID 3912 wrote to memory of 3512	3912	DllCommonsvc.exe	142
PID 3912 wrote to memory of 2992	3912	DllCommonsvc.exe	141
PID 3912 wrote to memory of 2992	3912	DllCommonsvc.exe	141
PID 3912 wrote to memory of 1208	3912	DllCommonsvc.exe	144
PID 3912 wrote to memory of 1208	3912	DllCommonsvc.exe	144
PID 3912 wrote to memory of 4944	3912	DllCommonsvc.exe	145
PID 3912 wrote to memory of 4944	3912	DllCommonsvc.exe	145
PID 3912 wrote to memory of 1392	3912	DllCommonsvc.exe	146
PID 3912 wrote to memory of 1392	3912	DllCommonsvc.exe	146
PID 3912 wrote to memory of 4928	3912	DllCommonsvc.exe	147
PID 3912 wrote to memory of 4928	3912	DllCommonsvc.exe	147
PID 3912 wrote to memory of 4964	3912	DllCommonsvc.exe	148
PID 3912 wrote to memory of 4964	3912	DllCommonsvc.exe	148
PID 3912 wrote to memory of 4864	3912	DllCommonsvc.exe	149
PID 3912 wrote to memory of 4864	3912	DllCommonsvc.exe	149
PID 3912 wrote to memory of 4716	3912	DllCommonsvc.exe	153
PID 3912 wrote to memory of 4716	3912	DllCommonsvc.exe	153
PID 4716 wrote to memory of 5252	4716	ShellExperienceHost.exe	160
PID 4716 wrote to memory of 5252	4716	ShellExperienceHost.exe	160
PID 5252 wrote to memory of 5616	5252	cmd.exe	162
PID 5252 wrote to memory of 5616	5252	cmd.exe	162
PID 5252 wrote to memory of 5192	5252	cmd.exe	163
PID 5252 wrote to memory of 5192	5252	cmd.exe	163
PID 5192 wrote to memory of 4160	5192	ShellExperienceHost.exe	164
PID 5192 wrote to memory of 4160	5192	ShellExperienceHost.exe	164
PID 4160 wrote to memory of 2620	4160	cmd.exe	166
PID 4160 wrote to memory of 2620	4160	cmd.exe	166
PID 4160 wrote to memory of 4444	4160	cmd.exe	167
PID 4160 wrote to memory of 4444	4160	cmd.exe	167
PID 4444 wrote to memory of 5476	4444	ShellExperienceHost.exe	168
PID 4444 wrote to memory of 5476	4444	ShellExperienceHost.exe	168
PID 5476 wrote to memory of 5544	5476	cmd.exe	170
PID 5476 wrote to memory of 5544	5476	cmd.exe	170
PID 5476 wrote to memory of 5236	5476	cmd.exe	171
PID 5476 wrote to memory of 5236	5476	cmd.exe	171

C:\Users\Admin\AppData\Local\Temp\7a82d05e45bdb0a28cefe82a914c289a74aa7cc79c0eb2f8dc1d860839f0ec86.exe
"C:\Users\Admin\AppData\Local\Temp\7a82d05e45bdb0a28cefe82a914c289a74aa7cc79c0eb2f8dc1d860839f0ec86.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Calligraphy\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
    - - C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe
        
        "C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4716
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5616
        
        C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe
        
        "C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2620
        
        C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe
        
        "C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:5544
        
        C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe
        
        "C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat"
        12⤵
        
        PID:5712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5924
        
        C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe
        
        "C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat"
        14⤵
        
        PID:4600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4296
        
        C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe
        
        "C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"
        16⤵
        
        PID:1016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3184
        
        C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe
        
        "C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"
        18⤵
        
        PID:216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1332
        
        C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe
        
        "C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"
        20⤵
        
        PID:4124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2796
        
        C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe
        
        "C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"
        22⤵
        
        PID:5084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2788
        
        C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe
        
        "C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat"
        24⤵
        
        PID:5072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:432
        
        C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe
        
        "C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat"
        26⤵
        
        PID:4036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1464
        
        C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe
        
        "C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"
        28⤵
        
        PID:6060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:6072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Default\My Documents\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\My Documents\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\My Documents\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Calligraphy\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Media\Calligraphy\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Calligraphy\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\CbsTemp\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\CbsTemp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\CbsTemp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ShellExperienceHost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
221f78f47a99bd564ac37006009a77f3

SHA1
0b9302828d2837a51d6bfd4b2b03fc523c04327b

SHA256
2e3ce758e4fb1c5834f9fdec77a7e06a4d7f79d05f67201bdcb559a7c9c6fb57

SHA512
f0a0d1c82afe13a4d539aa59bb99a4f910ee831d31789955013a69fc546052e4de9b6f7ad4de6c9850a8817332b46c071a0ad2c6d86ab06875fb513ba482e599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9249622b1dd9ed50cc98627cf19f56cf

SHA1
9536d8d61bdf8092b204cc780c27ef98eaa81d67

SHA256
2f898a60776941805a68e89b6c7f9ee4e6a1359eba29c2d64da0ec421aa544f8

SHA512
468d153af3a34d8f537fef51b8ff93ba85fef1926036a8967d952e70f7fb22b642139aaad2e28e61e8573409b7d26d02570b85ea9bd8ad6f209d50d36fcaa0e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9249622b1dd9ed50cc98627cf19f56cf

SHA1
9536d8d61bdf8092b204cc780c27ef98eaa81d67

SHA256
2f898a60776941805a68e89b6c7f9ee4e6a1359eba29c2d64da0ec421aa544f8

SHA512
468d153af3a34d8f537fef51b8ff93ba85fef1926036a8967d952e70f7fb22b642139aaad2e28e61e8573409b7d26d02570b85ea9bd8ad6f209d50d36fcaa0e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9249622b1dd9ed50cc98627cf19f56cf

SHA1
9536d8d61bdf8092b204cc780c27ef98eaa81d67

SHA256
2f898a60776941805a68e89b6c7f9ee4e6a1359eba29c2d64da0ec421aa544f8

SHA512
468d153af3a34d8f537fef51b8ff93ba85fef1926036a8967d952e70f7fb22b642139aaad2e28e61e8573409b7d26d02570b85ea9bd8ad6f209d50d36fcaa0e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e67d63af1cbf430a536a32e9516ae005

SHA1
73509dd7c3530418376c65146d24318a9b62c309

SHA256
6e3f68cef0b212d8023528c818c4b934ea64a61e5d6eb1113e2a551373e7a11b

SHA512
62e4bbd921e5cc5a520e49345193e2eced6558ac029e92d88387ca7bdaffb5d66ea07a951049db4ea2329481a5a6b66599af86c85d38670dc79153527ee216d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b3dc64f18bcf71681ba58991b67f39f3

SHA1
daad0ad5c3302b551dc0add3df38e2c7a4e343b2

SHA256
20e6c2a758054ebe9b550306d07c8b6fc1e2e94f664ffa7085d7471f2ba9ac9b

SHA512
6cf213a8a247b71aacbd7a340173f8d78582599e926773c3cc125764885346c3444e0883d838a8330ce6a65c3d8bc5ca808fe86144a0bd3e6d25b5397a15241f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
33f09571fc228512b42b865e714d25ea

SHA1
4393780218021f9c52898819846f8ce4e4d39b67

SHA256
0116e1727c305b74e9a0904b1c4b90f0c1a706825f4b72db706a5a11ce2e8199

SHA512
f2c523f80d51ddf46a07c34272b2de9d215e362813ebe462748e607b9765f0f34ca84380339cc8029052938b583a30cc94fea4caa8a9902ba00b60f5764b9414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
178c146d0fbfc31a8ef02f795235b14f

SHA1
cd6b77a59dd60cefb1c44ee999ca7b63e81da5cd

SHA256
c84f21c005c6e41b93d2753d0219f5726a229f831cffb658cfb38a63f071414b

SHA512
5c8699ba733de9deab7af5520b41da4474c91b2e0a74b8d71556adf3d84133bbefea5769948f2e3c3c693a07e45f31abdafbb800ee5706478a10915c51c9066d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8717382c9b4578b67999a667acb11037

SHA1
ce5b1eb4790b75a470176d6b019acd1b7430873c

SHA256
4eaea244a6153cd9fcfc78e6478f630ce5f77ddf4df56b3a08f8c7b562bb8442

SHA512
f1a01740910a0639b8598c1c5904e2aed66a945b7b33416a7afec65f54cf150a1a085e752adf12a6c408891442cad187dd2226125930de6190fd56faa9e04d3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8717382c9b4578b67999a667acb11037

SHA1
ce5b1eb4790b75a470176d6b019acd1b7430873c

SHA256
4eaea244a6153cd9fcfc78e6478f630ce5f77ddf4df56b3a08f8c7b562bb8442

SHA512
f1a01740910a0639b8598c1c5904e2aed66a945b7b33416a7afec65f54cf150a1a085e752adf12a6c408891442cad187dd2226125930de6190fd56faa9e04d3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f0093eac15e0ed3030cac513a8e0b16

SHA1
a6744c81ac67d33b1957a0282fdfc3de35ee3209

SHA256
595513553fe559fb63ffc901966fa29af944d14593d184421ca0ae0e09979bfe

SHA512
917aa9fed31a95aaf2d3514efe9818111725b66fba46668869c810e9d254031d7e0e1cadf525b0df6481a134e39563ca5996a2958a4289dd65a108aa4d5102f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f0093eac15e0ed3030cac513a8e0b16

SHA1
a6744c81ac67d33b1957a0282fdfc3de35ee3209

SHA256
595513553fe559fb63ffc901966fa29af944d14593d184421ca0ae0e09979bfe

SHA512
917aa9fed31a95aaf2d3514efe9818111725b66fba46668869c810e9d254031d7e0e1cadf525b0df6481a134e39563ca5996a2958a4289dd65a108aa4d5102f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f0093eac15e0ed3030cac513a8e0b16

SHA1
a6744c81ac67d33b1957a0282fdfc3de35ee3209

SHA256
595513553fe559fb63ffc901966fa29af944d14593d184421ca0ae0e09979bfe

SHA512
917aa9fed31a95aaf2d3514efe9818111725b66fba46668869c810e9d254031d7e0e1cadf525b0df6481a134e39563ca5996a2958a4289dd65a108aa4d5102f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f0093eac15e0ed3030cac513a8e0b16

SHA1
a6744c81ac67d33b1957a0282fdfc3de35ee3209

SHA256
595513553fe559fb63ffc901966fa29af944d14593d184421ca0ae0e09979bfe

SHA512
917aa9fed31a95aaf2d3514efe9818111725b66fba46668869c810e9d254031d7e0e1cadf525b0df6481a134e39563ca5996a2958a4289dd65a108aa4d5102f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4c5055728d0bb83f641130546c3c0413

SHA1
5ed164bfdb2db61d0f554412939e9bdba035e032

SHA256
c583a9ac27748092a995aa00dec36c1645875c2d36efd1e3a917f25e09d6a8bf

SHA512
d61544f9b68da9d89ccfa17bdf90d1d66adc441e0ff0a987c39b35dbdc3eeca4a065a635ff22afbe18790cd27ac0edd6e9071a8195fb46c0d3e919ae0ddd3f2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8f932e994208778da5a083d0935b0853

SHA1
1113bf7d2c6a9386917de2464e19944396a61248

SHA256
dcd24aef4bc6eb1e5bd327ff3c1da4c99594cdd867063d676f769afa9a652668

SHA512
eec271f2c7baba7e5b2ebf90a6eafbc84b8659e139f22a7f897c5a36680a4d58fd092f5e05dfe0b856647fcb5e6c5b9323f19f61e33d9a81d79b9b842ff85947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8f932e994208778da5a083d0935b0853

SHA1
1113bf7d2c6a9386917de2464e19944396a61248

SHA256
dcd24aef4bc6eb1e5bd327ff3c1da4c99594cdd867063d676f769afa9a652668

SHA512
eec271f2c7baba7e5b2ebf90a6eafbc84b8659e139f22a7f897c5a36680a4d58fd092f5e05dfe0b856647fcb5e6c5b9323f19f61e33d9a81d79b9b842ff85947

Download Submit
C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat

Filesize
223B

MD5
f088f6cc3835376760a9c0684bdcdbf2

SHA1
162b50d123d35e6942cd86d93ac5c3be189fb091

SHA256
a9113f2ab03a21b84ebbefb6efee7ff5bc4e206e7d0ec729616f35cae08619db

SHA512
89a80a747e028373e084531c720bd31df22b518e429a1692e2105b68b9f40830c17318bf3bcc79b6671ded1f6d7cfdb7899bf431c7b04fdcbe613a8dd930444a

Download Submit
C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat

Filesize
223B

MD5
9169f6f81d04a896b78838b4184ac3d5

SHA1
12fb1114cf2bb1470483e8c550eeeefb0febc578

SHA256
16692bb4c2a31710a3eef22b8511d3623b6a43122c0888dc012891474ff0bd44

SHA512
3ae50527635c9337e9422f37c036a5c55d07b16bab6d1c2a0e66be38878206a6dae8c8cd7adfb3894e84157f26a255c7b8836782460a1d49bddfd770243585dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat

Filesize
223B

MD5
831f925af810f7931fc458f5e55d7480

SHA1
53e76570f0d54da0558458972d5da1ad224d4764

SHA256
677e0ec38aad7edf0722fbb13ac091ccad67793241ed1b74d7ebd6ca89ca19d4

SHA512
37622fd7bcc44d113b1122c637220aaca17203ca7205cab04cb84f773f7e5c5c47f371bae7c7825971499634fa8696a20c58cf2eb3f7c2989264d96f9a2f08fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat

Filesize
223B

MD5
757cd6ac92b0e544089481a70296119f

SHA1
bcc808dc7a7400d6d5797a3687d5083833effe6d

SHA256
eb6936fdac2eb8a1298b14fb24c0d35438bc68fe079ba6efb30896876f5de488

SHA512
2886969f2b169f9406315113bf0e05cbb55468c419026d968f27922d3042df1343878782985b29b5f909b59a0f7df8e50d0045d6975f8802e07e1d241f8f48c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat

Filesize
223B

MD5
b22eefb7966353dbb929d20b2016a75e

SHA1
86cabc1f3f7f25b2b7387e3a8324f3d67f8fef2c

SHA256
c1259e3746df90e72fc24548789d3c47a55051aff1b547967050361202ce4c91

SHA512
3b0713dee4fd6f91bba6ec96663033ad26dde1aed4a5a25c6507b41219fd8ff47b7c0a8fad29628c5b94486f98b1d35d797838fd5a23f5becfb673083cc15500

Download Submit
C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat

Filesize
223B

MD5
e656fde7abc687cb03de1f4f36d118f8

SHA1
8735b5554437cc978675a0f5b4b76908897506ca

SHA256
b9a4b9ec763d5d9ad05c76537483d880b4b88832f5de71a1dfdf0fffb09dd2c5

SHA512
5dbddbaafebb2a2c164869c0cea012a7e31ce0bccaead01be3a3db2c57f7fb88b4e839483a9b6a50c3e07b776b41adef628fad1f438658ea61187c0cba90722b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat

Filesize
223B

MD5
3f57ca85ab981ced5a30f1caa6aab046

SHA1
db4f37123eed3a80db30622d1918085f148bb7da

SHA256
8642b203ff98021d3c6deecc39fa9ab172d0001e9e408375b16b9efb8b99f9de

SHA512
0fc50edf7d1b1f76f514b0d277fcc5f3dd4ab0d6760d744c1397e072149fbd6f63403a535f141e19612efa5dfcb53f514f391a1a3984e1cae04e870871ded7f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat

Filesize
223B

MD5
45a96d82ef196b2864bb839e3accb434

SHA1
2f4112ea41da9f4c8c7ce0aa59894a1fc8b9a79b

SHA256
6017996025e293fd41c491ff5a1ad502423d4dc008efcbf6f4a07e3d7ce0b78b

SHA512
de87e80112e3b6a79d4090c7b7dfc09fc7812d618aee21c224b4a2989f609a492d1b8e1752e566c0e043fd26f38e0c41388b6ffe6e25f17336e692683f266db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat

Filesize
223B

MD5
94bd4a0ee6e48c0404754bd7f040e967

SHA1
63734cdde79d3c7cec7c16d77f8ae8718083c90e

SHA256
d0a62231fc6869154e97b4636c9f564089413fd97ba5fd91508174fe2e67a2e7

SHA512
64ead1f4b033dd34df4b199c9b22a1014cb6afd4fbe3741e27da1bdca5cfc0da3fc9810d1c498baa75b0e6a4e39854144f3d8dbc3214b39ec13070f2b87eda70

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat

Filesize
223B

MD5
de3f255f5e8b37752258d41c3f87f619

SHA1
19039eabd0829c3a4b81b2a4ce3ca1ef7c065c4b

SHA256
2418f4f32188c8b71d1af8f78fd5d907b09a05cdcc1fe39718b5479adfe8d1f3

SHA512
113bb4d902da7548dfef58b46071dd5d44812fcc77a427f7c8eb1881d10ed688c9bc52d07b8550011624f12a3127b66bb96211f47cc86f7e73f04672dfc86079

Download Submit
C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

Filesize
223B

MD5
09efdad3a985cbd621f8ad4dc5d85a25

SHA1
9970a71276ed1d888fb929832de782c07afcd3ce

SHA256
23879543cc6a5808f387e36feb9d8233cddb630b87915533ea9213c0708394b9

SHA512
055bd5b054fa409ce1deaac9b3c6ee6692834f9c24e5162b2ea3a4e53212407e35e814ac2ae4337a66581d0f6a284fd9cb7647a68a10c218c5561fbfc33401b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

Filesize
223B

MD5
09efdad3a985cbd621f8ad4dc5d85a25

SHA1
9970a71276ed1d888fb929832de782c07afcd3ce

SHA256
23879543cc6a5808f387e36feb9d8233cddb630b87915533ea9213c0708394b9

SHA512
055bd5b054fa409ce1deaac9b3c6ee6692834f9c24e5162b2ea3a4e53212407e35e814ac2ae4337a66581d0f6a284fd9cb7647a68a10c218c5561fbfc33401b5

Download Submit
C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Vss\Writers\Application\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1792-378-0x00000222873D0000-0x00000222873F2000-memory.dmp

Filesize
136KB

Download
memory/2036-185-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/2036-186-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3512-391-0x00000265C7320000-0x00000265C7396000-memory.dmp

Filesize
472KB

Download
memory/3912-288-0x0000000002C50000-0x0000000002C5C000-memory.dmp

Filesize
48KB

Download
memory/3912-290-0x0000000002C40000-0x0000000002C4C000-memory.dmp

Filesize
48KB

Download
memory/3912-289-0x0000000001340000-0x000000000134C000-memory.dmp

Filesize
48KB

Download
memory/3912-287-0x0000000001330000-0x0000000001342000-memory.dmp

Filesize
72KB

Download
memory/3912-286-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

Filesize
1.1MB

Download
memory/3992-976-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/4300-965-0x0000000001480000-0x0000000001492000-memory.dmp

Filesize
72KB

Download
memory/4444-939-0x0000000000850000-0x0000000000862000-memory.dmp

Filesize
72KB

Download
memory/4716-385-0x0000000003050000-0x0000000003062000-memory.dmp

Filesize
72KB

Download
memory/4808-167-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-140-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-121-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-122-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-123-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-126-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-125-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-128-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-129-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-183-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-182-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-181-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-180-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-179-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-178-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-177-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-176-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-175-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-174-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-173-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-170-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-172-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-171-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-169-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-168-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-130-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-120-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-131-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-166-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-165-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-164-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-163-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-162-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-161-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-132-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-160-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-133-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-134-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-159-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-135-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-158-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-136-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-137-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-157-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-156-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-155-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-154-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-138-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-153-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-152-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-151-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-150-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-149-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-148-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-147-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-146-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-145-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-144-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-143-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-142-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-141-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-139-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/5192-933-0x0000000002C20000-0x0000000002C32000-memory.dmp

Filesize
72KB

Download