dcrat | 8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949

Analysis

max time kernel
299s
max time network
303s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
17/12/2022, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949.exe
Size

1.3MB
MD5

208f7d8b20f6546e5dbce1a6488f58ac
SHA1

261394e4148ae7fd616be8350464c4608cc7d1e7
SHA256

8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949
SHA512

d2bb39c1647609b999d5124782e1e74e0b20aaf71f4e218f2984859cdb28383bf22e70616c1ec485b974f4d2ec9f76c0bfce7d0002fef77bd781d8b71e381fc2
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1244	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	1244	schtasks.exe	32

DCRat payload 23 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001421e-60.dat	dcrat
behavioral1/files/0x000700000001421e-64.dat	dcrat
behavioral1/files/0x000700000001421e-62.dat	dcrat
behavioral1/files/0x000700000001421e-61.dat	dcrat
behavioral1/memory/1916-65-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat
behavioral1/files/0x0006000000014379-118.dat	dcrat
behavioral1/files/0x0006000000014379-117.dat	dcrat
behavioral1/memory/3052-119-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/files/0x0006000000014379-157.dat	dcrat
behavioral1/memory/1544-160-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat
behavioral1/files/0x0006000000014379-193.dat	dcrat
behavioral1/files/0x0006000000014379-242.dat	dcrat
behavioral1/files/0x0006000000014379-248.dat	dcrat
behavioral1/files/0x0006000000014379-255.dat	dcrat
behavioral1/files/0x0006000000014379-260.dat	dcrat
behavioral1/files/0x0006000000014379-266.dat	dcrat
behavioral1/files/0x0006000000014379-271.dat	dcrat
behavioral1/files/0x0006000000014379-276.dat	dcrat
behavioral1/files/0x0006000000014379-282.dat	dcrat
behavioral1/files/0x0006000000014379-288.dat	dcrat
behavioral1/files/0x0006000000014379-293.dat	dcrat
behavioral1/files/0x0006000000014379-299.dat	dcrat
behavioral1/files/0x0006000000014379-307.dat	dcrat

Executes dropped EXE 16 IoCs

pid	Process
1916	DllCommonsvc.exe
3052	explorer.exe
1544	explorer.exe
2876	explorer.exe
924	explorer.exe
1044	explorer.exe
1968	explorer.exe
1636	explorer.exe
2108	explorer.exe
2416	explorer.exe
2856	explorer.exe
2256	explorer.exe
1484	explorer.exe
2392	explorer.exe
2900	explorer.exe
1776	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
1636	cmd.exe
1636	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\catroot\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\catroot\cc11b995f2a76d	DllCommonsvc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\smss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1964	schtasks.exe
1284	schtasks.exe
1128	schtasks.exe
1340	schtasks.exe
2068	schtasks.exe
2092	schtasks.exe
1672	schtasks.exe
1288	schtasks.exe
328	schtasks.exe
1672	schtasks.exe
1676	schtasks.exe
1436	schtasks.exe
1988	schtasks.exe
328	schtasks.exe
1592	schtasks.exe
1684	schtasks.exe
1008	schtasks.exe
824	schtasks.exe
1472	schtasks.exe
1960	schtasks.exe
1716	schtasks.exe
1028	schtasks.exe
1156	schtasks.exe
1860	schtasks.exe
1712	schtasks.exe
1692	schtasks.exe
1268	schtasks.exe
1624	schtasks.exe
2116	schtasks.exe
1848	schtasks.exe
1000	schtasks.exe
2156	schtasks.exe
360	schtasks.exe
360	schtasks.exe
652	schtasks.exe
640	schtasks.exe
1428	schtasks.exe
1488	schtasks.exe
1948	schtasks.exe
836	schtasks.exe
2136	schtasks.exe
1668	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	explorer.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1916	DllCommonsvc.exe
1916	DllCommonsvc.exe
1916	DllCommonsvc.exe
1916	DllCommonsvc.exe
1916	DllCommonsvc.exe
3052	explorer.exe
1544	explorer.exe
2356	powershell.exe
2748	powershell.exe
2256	powershell.exe
2720	powershell.exe
2212	powershell.exe
2284	powershell.exe
2392	powershell.exe
2668	powershell.exe
2588	powershell.exe
2800	powershell.exe
2192	powershell.exe
2232	powershell.exe
2180	powershell.exe
2432	powershell.exe
2516	powershell.exe
2876	explorer.exe
924	explorer.exe
1044	explorer.exe
1968	explorer.exe
1636	explorer.exe
2108	explorer.exe
2416	explorer.exe
2856	explorer.exe
2256	explorer.exe
1484	explorer.exe
2392	explorer.exe
2900	explorer.exe
1776	explorer.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	DllCommonsvc.exe
Token: SeDebugPrivilege	3052	explorer.exe
Token: SeDebugPrivilege	1544	explorer.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2876	explorer.exe
Token: SeDebugPrivilege	924	explorer.exe
Token: SeDebugPrivilege	1044	explorer.exe
Token: SeDebugPrivilege	1968	explorer.exe
Token: SeDebugPrivilege	1636	explorer.exe
Token: SeDebugPrivilege	2108	explorer.exe
Token: SeDebugPrivilege	2416	explorer.exe
Token: SeDebugPrivilege	2856	explorer.exe
Token: SeDebugPrivilege	2256	explorer.exe
Token: SeDebugPrivilege	1484	explorer.exe
Token: SeDebugPrivilege	2392	explorer.exe
Token: SeDebugPrivilege	2900	explorer.exe
Token: SeDebugPrivilege	1776	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1712	1732	8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949.exe	28
PID 1732 wrote to memory of 1712	1732	8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949.exe	28
PID 1732 wrote to memory of 1712	1732	8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949.exe	28
PID 1732 wrote to memory of 1712	1732	8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949.exe	28
PID 1712 wrote to memory of 1636	1712	WScript.exe	29
PID 1712 wrote to memory of 1636	1712	WScript.exe	29
PID 1712 wrote to memory of 1636	1712	WScript.exe	29
PID 1712 wrote to memory of 1636	1712	WScript.exe	29
PID 1636 wrote to memory of 1916	1636	cmd.exe	31
PID 1636 wrote to memory of 1916	1636	cmd.exe	31
PID 1636 wrote to memory of 1916	1636	cmd.exe	31
PID 1636 wrote to memory of 1916	1636	cmd.exe	31
PID 1916 wrote to memory of 2180	1916	DllCommonsvc.exe	76
PID 1916 wrote to memory of 2180	1916	DllCommonsvc.exe	76
PID 1916 wrote to memory of 2180	1916	DllCommonsvc.exe	76
PID 1916 wrote to memory of 2192	1916	DllCommonsvc.exe	77
PID 1916 wrote to memory of 2192	1916	DllCommonsvc.exe	77
PID 1916 wrote to memory of 2192	1916	DllCommonsvc.exe	77
PID 1916 wrote to memory of 2212	1916	DllCommonsvc.exe	79
PID 1916 wrote to memory of 2212	1916	DllCommonsvc.exe	79
PID 1916 wrote to memory of 2212	1916	DllCommonsvc.exe	79
PID 1916 wrote to memory of 2232	1916	DllCommonsvc.exe	81
PID 1916 wrote to memory of 2232	1916	DllCommonsvc.exe	81
PID 1916 wrote to memory of 2232	1916	DllCommonsvc.exe	81
PID 1916 wrote to memory of 2256	1916	DllCommonsvc.exe	82
PID 1916 wrote to memory of 2256	1916	DllCommonsvc.exe	82
PID 1916 wrote to memory of 2256	1916	DllCommonsvc.exe	82
PID 1916 wrote to memory of 2284	1916	DllCommonsvc.exe	84
PID 1916 wrote to memory of 2284	1916	DllCommonsvc.exe	84
PID 1916 wrote to memory of 2284	1916	DllCommonsvc.exe	84
PID 1916 wrote to memory of 2356	1916	DllCommonsvc.exe	87
PID 1916 wrote to memory of 2356	1916	DllCommonsvc.exe	87
PID 1916 wrote to memory of 2356	1916	DllCommonsvc.exe	87
PID 1916 wrote to memory of 2392	1916	DllCommonsvc.exe	89
PID 1916 wrote to memory of 2392	1916	DllCommonsvc.exe	89
PID 1916 wrote to memory of 2392	1916	DllCommonsvc.exe	89
PID 1916 wrote to memory of 2432	1916	DllCommonsvc.exe	91
PID 1916 wrote to memory of 2432	1916	DllCommonsvc.exe	91
PID 1916 wrote to memory of 2432	1916	DllCommonsvc.exe	91
PID 1916 wrote to memory of 2516	1916	DllCommonsvc.exe	92
PID 1916 wrote to memory of 2516	1916	DllCommonsvc.exe	92
PID 1916 wrote to memory of 2516	1916	DllCommonsvc.exe	92
PID 1916 wrote to memory of 2588	1916	DllCommonsvc.exe	95
PID 1916 wrote to memory of 2588	1916	DllCommonsvc.exe	95
PID 1916 wrote to memory of 2588	1916	DllCommonsvc.exe	95
PID 1916 wrote to memory of 2668	1916	DllCommonsvc.exe	96
PID 1916 wrote to memory of 2668	1916	DllCommonsvc.exe	96
PID 1916 wrote to memory of 2668	1916	DllCommonsvc.exe	96
PID 1916 wrote to memory of 2720	1916	DllCommonsvc.exe	98
PID 1916 wrote to memory of 2720	1916	DllCommonsvc.exe	98
PID 1916 wrote to memory of 2720	1916	DllCommonsvc.exe	98
PID 1916 wrote to memory of 2748	1916	DllCommonsvc.exe	100
PID 1916 wrote to memory of 2748	1916	DllCommonsvc.exe	100
PID 1916 wrote to memory of 2748	1916	DllCommonsvc.exe	100
PID 1916 wrote to memory of 2800	1916	DllCommonsvc.exe	103
PID 1916 wrote to memory of 2800	1916	DllCommonsvc.exe	103
PID 1916 wrote to memory of 2800	1916	DllCommonsvc.exe	103
PID 1916 wrote to memory of 3052	1916	DllCommonsvc.exe	106
PID 1916 wrote to memory of 3052	1916	DllCommonsvc.exe	106
PID 1916 wrote to memory of 3052	1916	DllCommonsvc.exe	106
PID 3052 wrote to memory of 2200	3052	explorer.exe	107
PID 3052 wrote to memory of 2200	3052	explorer.exe	107
PID 3052 wrote to memory of 2200	3052	explorer.exe	107
PID 2200 wrote to memory of 872	2200	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949.exe
"C:\Users\Admin\AppData\Local\Temp\8b05fd53fe39df7f3443c7a7aa751408cf09628bdfea416bb3bb4a062d9a6949.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\catroot\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:872
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
        8⤵
        
        PID:2088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1648
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"
        10⤵
        
        PID:1268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1124
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat"
        12⤵
        
        PID:1340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1160
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat"
        14⤵
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2120
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat"
        16⤵
        
        PID:1684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2364
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat"
        18⤵
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2620
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"
        20⤵
        
        PID:2944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2776
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat"
        22⤵
        
        PID:960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2808
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"
        24⤵
        
        PID:2540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2260
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat"
        26⤵
        
        PID:2220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2192
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat"
        28⤵
        
        PID:2692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2348
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat"
        30⤵
        
        PID:688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:2440
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"
        32⤵
        
        PID:1964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:968
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        33⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\SysWOW64\catroot\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SysWOW64\catroot\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\catroot\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat

Filesize
195B

MD5
48ac5bede0d2e18b81ba7b369dc15513

SHA1
4ba8381f1af20bf0a3b9b6b46a28a669e1e7ffc6

SHA256
160fc70db8f182348edbeb3e22c71641f078fcb06b0b514c4d4f1e47cb13a4e3

SHA512
9fdb2525ac0682966c7cecf36accae2c734be28ed669e1dd9ecdbf68b01d16eaea898680087e4316b7ea2c359d1fbe335f39af23a78d18c1cc4bb1ceaa8e6e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat

Filesize
195B

MD5
404f83b939567c9517b98df3684f6482

SHA1
e41c361cfbaa8bdfaa43cc3337d855b34a3b6237

SHA256
0019e62fe42493851acaec92451dc74e76be9a0bc477303d6866db2106633dc6

SHA512
d2bf3cc57e9cb8e91af8b9980ee832ab959b3ba0d505124b5fb9103acfeca4ea8243983394d05c08c245fd1042666d3f01f78987b4491a1d2c5f6fb872053872

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat

Filesize
195B

MD5
87fb2843612c281c6432ca72d2a215ca

SHA1
3ea563669978b5b97da575e05ef28538936ea795

SHA256
2d29b553a63c0319cc4f7103f8e9284de7879fb1b5f8ddd0fd137488bd3b1038

SHA512
030b21e4458be6a5fa84a0139ea25541b86752c891dd8321f920fb22003b34ab4b68b6439cd8c32993c1f632a912ebedb3aba14fd87a76afba3dc3aafd66c7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat

Filesize
195B

MD5
4e5c099e74c5da649dad037e508b864d

SHA1
ea01f504d2eda321eb1bd7c2482cdd2c5136052f

SHA256
ee8c95e545e098111bc1e618541f37ee47894d0d7e3dacb11c21e8063f7873e9

SHA512
55481cab3acc1b14dd8868e017819d159b28fb0705a827c2635834593f83f29cf01fa8eaec1c0046145d41ac7cec6c3adc0ca945c8bcbfc50c07510f7e240a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

Filesize
195B

MD5
5fbcb59810039284fcb9779005b3f958

SHA1
9e896cdf4ffe5d67fa8d6949747b0e15f1d0772f

SHA256
1bd1c09913bc6f6b8533a7a90870501f8889cfc119cec1294190c5cffa8a72ba

SHA512
6e22d46907af8530e2085bcf532915a3c49c9c7b9ec382ee9487d8f6b4ea4f408d9285a9e9710b98613525e242dd1a553945e3c0f950ac3a7da7ca0d70322448

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat

Filesize
195B

MD5
c8ac5c4330f9dbaf6b48563bd6fdc9b3

SHA1
ed633c11a25146391c92d2059d98a4862589bd8b

SHA256
149d619a0859339bdd552e1b9efb6a906b0f33d4c3973344efb10f4bd1e56865

SHA512
c57c4cb29531fc871ae2ff5f191bfc5d9c3ea66c71c4f5fddb109b8f1159505a754e1fd58f2992392a6ba3a238c94b89c95c7151db466166480c7505c2f31e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat

Filesize
195B

MD5
1251582dee876d5d07090498e86ab207

SHA1
7754790345d6b6b16518fc5c7580a65de326d5c1

SHA256
c4814ec022b182ca725544c63a8128c9bc907f3be8ec82653e7a00bbc5d49478

SHA512
c3d31fc7e4e1fb05222826844da53a138cafee93a2577542973461edcfb83d275a6abab7a2b5dbe393f0536cf878868534aa335de60e9171ae5bb9994cce7665

Download Submit
C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat

Filesize
195B

MD5
b2068bc3984fc7248829a9dcb472f90b

SHA1
d4dd9527887e9fb2e38b4ba460882b1a48943b33

SHA256
a63c6b62a8f522e7959a7f8b13eb0ad2e194d0b63317a07f9d24739da22f169c

SHA512
a43b79b0f7481b15afc6d7a48e1fb1350d45c39fdea236e3909215bc735a6acb3e49f4c7fffd6520335f01ed88540861dec826dcddbb7045f35d9b4e00707b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat

Filesize
195B

MD5
bdeba4518f4ee0b89ee2367eac8d0592

SHA1
9249dacdd4f43bbf6f4a75631ee93572af485d07

SHA256
9eceb8897dd743fbe5df30097c760707b8932ee6c46f1b505c8c23c7b2b01307

SHA512
66b46fab201a1c92835524c1f47f4d517b3f2236bb7355e2ac2de77b5d6a5e59e071d50d6461382b41dbdffff2840d9b41a47787b50fc97f73b34c17e23b6dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat

Filesize
195B

MD5
ca41ff76f62e71fb4d9aa77b43b8fa85

SHA1
5bb9dc7340762b0a802cfca6947db4c0a9e87d57

SHA256
d56198e0f99872317efedc165e0c4375e5591608bf963d4424240515b01fb24a

SHA512
147cebbf1a29212d166b6104c227efcd4e3a25c83215e7937eca6f2f61fb5e922cc660ffebfc78c19c12e906d80ee80bcb95f3bf86570ce8f0729d8675649c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat

Filesize
195B

MD5
9e3d49a2376da8469684d021544bb8e4

SHA1
df22c55403bd3a228d8807156a3f1b9f1ee073bd

SHA256
a037eb3977990fef3856ec8a713c7515002d46a7dbe648c07074337a9186a918

SHA512
9cdc7dd6ba9fc5abf2dae87ef25d44a09007ea5a4a1abac379f48235d2d80d20087a431d4cc04f15a967ceaca003e814a26e37c2140197a2cc80031dc606b028

Download Submit
C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat

Filesize
195B

MD5
a6b42d75bd1f334083fdbd95483cad72

SHA1
b089e86cc488cae3d2a3de5135aab92684b367bc

SHA256
ff55bb336f9dd5d925bb222f7f1a9cb753140faf927a2866af815a96b1be7199

SHA512
dbbe2548cfa5348312bc266cecf68d89ea804938f66af250032159d16005b1ec5c9edd30b72a9b09951f6500e3304cc6ff59bd051e32de32555809a2d4bdee94

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat

Filesize
195B

MD5
c918de8e5ea64b380a9708603cade34b

SHA1
0e0f089dd2514350d83eb630d7a7e03b3ca47ff1

SHA256
eb7162bc5eb952215e00637e64978f4af64f39e7907105a29631d4ec74e84f9d

SHA512
86e9070a9e5d80408dc393fa3e935e1ed28b3f31a84b75ba1fe7390726c72e8b6695ca71c889c2f4b4fefb52ba1c83659bb63aa7bc6c787be1679eec2bbc0eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat

Filesize
195B

MD5
65b3ca5881de8fb01556c20d48e1ddbd

SHA1
13d9b2a3813f6c0338ec02517ca00f48b179ed81

SHA256
48808cad52d88e47e1bec53ecdb7d809a791069378176feb2e51afddb31a1f9d

SHA512
5f9d2fa27e7e50ae162179ecac34fe92f5b02240a649a52a7aa46cb3332eb7eef4018eb51d54d8ad3f6f1e0986a15c1f33e653cf0af96561e4d518fa5f795a7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b21f38a16ce0bcb99dceac0a7d96278a

SHA1
1811d91367940b32d60d599a740c1fb3954522fd

SHA256
77e9ce8f8549131ba7c3f07c3652a0f5cfb34c458e836f39bd6e22ca11d905f2

SHA512
5d19351572f256fd007a108754f23911c66a0f8c8370901c838433756ff560886e3bbae1fd508ac7b0fad1d3d9645dfaf41128e6cfa93001a446e0e185cc348c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b21f38a16ce0bcb99dceac0a7d96278a

SHA1
1811d91367940b32d60d599a740c1fb3954522fd

SHA256
77e9ce8f8549131ba7c3f07c3652a0f5cfb34c458e836f39bd6e22ca11d905f2

SHA512
5d19351572f256fd007a108754f23911c66a0f8c8370901c838433756ff560886e3bbae1fd508ac7b0fad1d3d9645dfaf41128e6cfa93001a446e0e185cc348c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b21f38a16ce0bcb99dceac0a7d96278a

SHA1
1811d91367940b32d60d599a740c1fb3954522fd

SHA256
77e9ce8f8549131ba7c3f07c3652a0f5cfb34c458e836f39bd6e22ca11d905f2

SHA512
5d19351572f256fd007a108754f23911c66a0f8c8370901c838433756ff560886e3bbae1fd508ac7b0fad1d3d9645dfaf41128e6cfa93001a446e0e185cc348c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b21f38a16ce0bcb99dceac0a7d96278a

SHA1
1811d91367940b32d60d599a740c1fb3954522fd

SHA256
77e9ce8f8549131ba7c3f07c3652a0f5cfb34c458e836f39bd6e22ca11d905f2

SHA512
5d19351572f256fd007a108754f23911c66a0f8c8370901c838433756ff560886e3bbae1fd508ac7b0fad1d3d9645dfaf41128e6cfa93001a446e0e185cc348c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b21f38a16ce0bcb99dceac0a7d96278a

SHA1
1811d91367940b32d60d599a740c1fb3954522fd

SHA256
77e9ce8f8549131ba7c3f07c3652a0f5cfb34c458e836f39bd6e22ca11d905f2

SHA512
5d19351572f256fd007a108754f23911c66a0f8c8370901c838433756ff560886e3bbae1fd508ac7b0fad1d3d9645dfaf41128e6cfa93001a446e0e185cc348c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b21f38a16ce0bcb99dceac0a7d96278a

SHA1
1811d91367940b32d60d599a740c1fb3954522fd

SHA256
77e9ce8f8549131ba7c3f07c3652a0f5cfb34c458e836f39bd6e22ca11d905f2

SHA512
5d19351572f256fd007a108754f23911c66a0f8c8370901c838433756ff560886e3bbae1fd508ac7b0fad1d3d9645dfaf41128e6cfa93001a446e0e185cc348c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b21f38a16ce0bcb99dceac0a7d96278a

SHA1
1811d91367940b32d60d599a740c1fb3954522fd

SHA256
77e9ce8f8549131ba7c3f07c3652a0f5cfb34c458e836f39bd6e22ca11d905f2

SHA512
5d19351572f256fd007a108754f23911c66a0f8c8370901c838433756ff560886e3bbae1fd508ac7b0fad1d3d9645dfaf41128e6cfa93001a446e0e185cc348c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b21f38a16ce0bcb99dceac0a7d96278a

SHA1
1811d91367940b32d60d599a740c1fb3954522fd

SHA256
77e9ce8f8549131ba7c3f07c3652a0f5cfb34c458e836f39bd6e22ca11d905f2

SHA512
5d19351572f256fd007a108754f23911c66a0f8c8370901c838433756ff560886e3bbae1fd508ac7b0fad1d3d9645dfaf41128e6cfa93001a446e0e185cc348c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b21f38a16ce0bcb99dceac0a7d96278a

SHA1
1811d91367940b32d60d599a740c1fb3954522fd

SHA256
77e9ce8f8549131ba7c3f07c3652a0f5cfb34c458e836f39bd6e22ca11d905f2

SHA512
5d19351572f256fd007a108754f23911c66a0f8c8370901c838433756ff560886e3bbae1fd508ac7b0fad1d3d9645dfaf41128e6cfa93001a446e0e185cc348c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b21f38a16ce0bcb99dceac0a7d96278a

SHA1
1811d91367940b32d60d599a740c1fb3954522fd

SHA256
77e9ce8f8549131ba7c3f07c3652a0f5cfb34c458e836f39bd6e22ca11d905f2

SHA512
5d19351572f256fd007a108754f23911c66a0f8c8370901c838433756ff560886e3bbae1fd508ac7b0fad1d3d9645dfaf41128e6cfa93001a446e0e185cc348c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b21f38a16ce0bcb99dceac0a7d96278a

SHA1
1811d91367940b32d60d599a740c1fb3954522fd

SHA256
77e9ce8f8549131ba7c3f07c3652a0f5cfb34c458e836f39bd6e22ca11d905f2

SHA512
5d19351572f256fd007a108754f23911c66a0f8c8370901c838433756ff560886e3bbae1fd508ac7b0fad1d3d9645dfaf41128e6cfa93001a446e0e185cc348c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b21f38a16ce0bcb99dceac0a7d96278a

SHA1
1811d91367940b32d60d599a740c1fb3954522fd

SHA256
77e9ce8f8549131ba7c3f07c3652a0f5cfb34c458e836f39bd6e22ca11d905f2

SHA512
5d19351572f256fd007a108754f23911c66a0f8c8370901c838433756ff560886e3bbae1fd508ac7b0fad1d3d9645dfaf41128e6cfa93001a446e0e185cc348c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b21f38a16ce0bcb99dceac0a7d96278a

SHA1
1811d91367940b32d60d599a740c1fb3954522fd

SHA256
77e9ce8f8549131ba7c3f07c3652a0f5cfb34c458e836f39bd6e22ca11d905f2

SHA512
5d19351572f256fd007a108754f23911c66a0f8c8370901c838433756ff560886e3bbae1fd508ac7b0fad1d3d9645dfaf41128e6cfa93001a446e0e185cc348c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\explorer.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1544-160-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/1732-54-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1916-65-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/1916-66-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1916-67-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/1916-69-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/1916-68-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2180-86-0x000007FEEC0A0000-0x000007FEECAC3000-memory.dmp

Filesize
10.1MB

Download
memory/2180-159-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/2180-196-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/2180-165-0x000007FEF58C0000-0x000007FEF641D000-memory.dmp

Filesize
11.4MB

Download
memory/2180-189-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/2192-89-0x000007FEEC0A0000-0x000007FEECAC3000-memory.dmp

Filesize
10.1MB

Download
memory/2192-186-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/2192-163-0x000007FEF58C0000-0x000007FEF641D000-memory.dmp

Filesize
11.4MB

Download
memory/2192-76-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download
memory/2192-154-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/2192-198-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

Filesize
3.0MB

Download
memory/2192-220-0x00000000028DB000-0x00000000028FA000-memory.dmp

Filesize
124KB

Download
memory/2212-121-0x000007FEEC0A0000-0x000007FEECAC3000-memory.dmp

Filesize
10.1MB

Download
memory/2212-169-0x000000001B8D0000-0x000000001BBCF000-memory.dmp

Filesize
3.0MB

Download
memory/2212-211-0x000000000278B000-0x00000000027AA000-memory.dmp

Filesize
124KB

Download
memory/2212-178-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/2212-146-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/2212-137-0x000007FEF58C0000-0x000007FEF641D000-memory.dmp

Filesize
11.4MB

Download
memory/2212-208-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/2232-202-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/2232-229-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/2232-166-0x000007FEF58C0000-0x000007FEF641D000-memory.dmp

Filesize
11.4MB

Download
memory/2232-156-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/2232-187-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/2232-88-0x000007FEEC0A0000-0x000007FEECAC3000-memory.dmp

Filesize
10.1MB

Download
memory/2232-230-0x000000000286B000-0x000000000288A000-memory.dmp

Filesize
124KB

Download
memory/2256-182-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/2256-228-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/2256-227-0x00000000024FB000-0x000000000251A000-memory.dmp

Filesize
124KB

Download
memory/2256-130-0x000007FEEC0A0000-0x000007FEECAC3000-memory.dmp

Filesize
10.1MB

Download
memory/2256-150-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/2256-141-0x000007FEF58C0000-0x000007FEF641D000-memory.dmp

Filesize
11.4MB

Download
memory/2256-194-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/2284-126-0x000007FEEC0A0000-0x000007FEECAC3000-memory.dmp

Filesize
10.1MB

Download
memory/2284-148-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/2284-180-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/2284-206-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/2284-170-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/2284-209-0x000000000260B000-0x000000000262A000-memory.dmp

Filesize
124KB

Download
memory/2284-139-0x000007FEF58C0000-0x000007FEF641D000-memory.dmp

Filesize
11.4MB

Download
memory/2356-212-0x00000000023FB000-0x000000000241A000-memory.dmp

Filesize
124KB

Download
memory/2356-134-0x000007FEF58C0000-0x000007FEF641D000-memory.dmp

Filesize
11.4MB

Download
memory/2356-171-0x000000001B8B0000-0x000000001BBAF000-memory.dmp

Filesize
3.0MB

Download
memory/2356-122-0x000007FEEC0A0000-0x000007FEECAC3000-memory.dmp

Filesize
10.1MB

Download
memory/2356-214-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/2356-145-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/2356-173-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/2392-124-0x000007FEEC0A0000-0x000007FEECAC3000-memory.dmp

Filesize
10.1MB

Download
memory/2392-221-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/2392-183-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/2392-200-0x000000001BA20000-0x000000001BD1F000-memory.dmp

Filesize
3.0MB

Download
memory/2392-151-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/2432-158-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/2432-216-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/2432-133-0x000007FEEC0A0000-0x000007FEECAC3000-memory.dmp

Filesize
10.1MB

Download
memory/2432-218-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/2432-188-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/2432-167-0x000007FEF58C0000-0x000007FEF641D000-memory.dmp

Filesize
11.4MB

Download
memory/2432-217-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/2516-203-0x000000001B940000-0x000000001BC3F000-memory.dmp

Filesize
3.0MB

Download
memory/2516-223-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2516-226-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/2516-162-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2516-191-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2516-168-0x000007FEF58C0000-0x000007FEF641D000-memory.dmp

Filesize
11.4MB

Download
memory/2516-136-0x000007FEEC0A0000-0x000007FEECAC3000-memory.dmp

Filesize
10.1MB

Download
memory/2588-131-0x000007FEEC0A0000-0x000007FEECAC3000-memory.dmp

Filesize
10.1MB

Download
memory/2588-138-0x000007FEF58C0000-0x000007FEF641D000-memory.dmp

Filesize
11.4MB

Download
memory/2588-147-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/2588-199-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/2588-179-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/2668-195-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/2668-123-0x000007FEEC0A0000-0x000007FEECAC3000-memory.dmp

Filesize
10.1MB

Download
memory/2668-143-0x000007FEF58C0000-0x000007FEF641D000-memory.dmp

Filesize
11.4MB

Download
memory/2668-152-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2668-184-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2668-213-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2668-215-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/2720-204-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/2720-224-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/2720-153-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/2720-225-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/2720-185-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/2720-144-0x000007FEF58C0000-0x000007FEF641D000-memory.dmp

Filesize
11.4MB

Download
memory/2748-140-0x000007FEF58C0000-0x000007FEF641D000-memory.dmp

Filesize
11.4MB

Download
memory/2748-149-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/2748-181-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/2748-207-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/2748-129-0x000007FEEC0A0000-0x000007FEECAC3000-memory.dmp

Filesize
10.1MB

Download
memory/2748-172-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/2748-210-0x000000000241B000-0x000000000243A000-memory.dmp

Filesize
124KB

Download
memory/2800-164-0x000007FEF58C0000-0x000007FEF641D000-memory.dmp

Filesize
11.4MB

Download
memory/2800-135-0x000007FEEC0A0000-0x000007FEECAC3000-memory.dmp

Filesize
10.1MB

Download
memory/2800-222-0x000000000260B000-0x000000000262A000-memory.dmp

Filesize
124KB

Download
memory/2800-219-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/2800-161-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/2800-190-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/2876-205-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/3052-119-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/3052-120-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download