dcrat | 3412a52e0cc2e4a1e876eb8bcc416e79a0a2e5992b0972b4eece8292a4595885

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2023 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3412a52e0cc2e4a1e876eb8bcc416e79a0a2e5992b0972b4eece8292a4595885.exe
Size

1.3MB
MD5

7ff4c9c3018952037aa84b523c0023cc
SHA1

d124aeb43630601e9fd65f4b5f7421d4721c0018
SHA256

3412a52e0cc2e4a1e876eb8bcc416e79a0a2e5992b0972b4eece8292a4595885
SHA512

c777c2d25960eb905d459d0487b1045edfe83058ca9b544e9823f965546eab84f174018e50e377cc473a42e1bc134689db628ccbef2452d894fa0b455018c47f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	1232	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	1232	schtasks.exe

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/2756-139-0x0000000000A40000-0x0000000000B50000-memory.dmp	dcrat
C:\Recovery\WindowsRE\services.exe	dcrat
C:\Recovery\WindowsRE\services.exe	dcrat
C:\Recovery\WindowsRE\services.exe	dcrat
C:\Recovery\WindowsRE\services.exe	dcrat
C:\Recovery\WindowsRE\services.exe	dcrat
C:\Recovery\WindowsRE\services.exe	dcrat
C:\Recovery\WindowsRE\services.exe	dcrat
C:\Recovery\WindowsRE\services.exe	dcrat
C:\Recovery\WindowsRE\services.exe	dcrat
C:\Recovery\WindowsRE\services.exe	dcrat

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

services.exe3412a52e0cc2e4a1e876eb8bcc416e79a0a2e5992b0972b4eece8292a4595885.exeWScript.execmd.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	3412a52e0cc2e4a1e876eb8bcc416e79a0a2e5992b0972b4eece8292a4595885.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	services.exe

Executes dropped EXE 10 IoCs

Processes:

DllCommonsvc.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

pid	process
2756	DllCommonsvc.exe
224	services.exe
4376	services.exe
1596	services.exe
1188	services.exe
1900	services.exe
1540	services.exe
1816	services.exe
2572	services.exe
5652	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\es-ES\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\es-ES\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\RuntimeBroker.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
2976	schtasks.exe
2980	schtasks.exe
1692	schtasks.exe
2744	schtasks.exe
3292	schtasks.exe
2152	schtasks.exe
2720	schtasks.exe
4960	schtasks.exe
3024	schtasks.exe
4544	schtasks.exe
4304	schtasks.exe
2840	schtasks.exe
864	schtasks.exe
4992	schtasks.exe
2300	schtasks.exe
4616	schtasks.exe
3036	schtasks.exe
4800	schtasks.exe
3508	schtasks.exe
524	schtasks.exe
316	schtasks.exe
1828	schtasks.exe
3664	schtasks.exe
1212	schtasks.exe
4196	schtasks.exe
2804	schtasks.exe
540	schtasks.exe
1196	schtasks.exe
2180	schtasks.exe
4728	schtasks.exe
3048	schtasks.exe
224	schtasks.exe
4736	schtasks.exe
3668	schtasks.exe
4116	schtasks.exe
2284	schtasks.exe
3144	schtasks.exe
3056	schtasks.exe
4036	schtasks.exe
1800	schtasks.exe
3288	schtasks.exe
4340	schtasks.exe
3136	schtasks.exe
616	schtasks.exe
3396	schtasks.exe
3284	schtasks.exe
1772	schtasks.exe
2504	schtasks.exe

Modifies registry class 10 IoCs

Processes:

services.exeservices.exeservices.exeservices.exeservices.exeservices.exe3412a52e0cc2e4a1e876eb8bcc416e79a0a2e5992b0972b4eece8292a4595885.exeservices.exeservices.exeservices.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	3412a52e0cc2e4a1e876eb8bcc416e79a0a2e5992b0972b4eece8292a4595885.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	services.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2348	powershell.exe
2348	powershell.exe
4840	powershell.exe
4840	powershell.exe
3128	powershell.exe
3128	powershell.exe
1672	powershell.exe
1672	powershell.exe
4852	powershell.exe
4852	powershell.exe
3012	powershell.exe
3012	powershell.exe
1008	powershell.exe
1008	powershell.exe
5064	powershell.exe
5064	powershell.exe
1976	powershell.exe
1976	powershell.exe
4680	powershell.exe
4680	powershell.exe
4676	powershell.exe
4676	powershell.exe
4164	powershell.exe
4164	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

description	pid	process
Token: SeDebugPrivilege	2756	DllCommonsvc.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	224	services.exe
Token: SeDebugPrivilege	4376	services.exe
Token: SeDebugPrivilege	1596	services.exe
Token: SeDebugPrivilege	1188	services.exe
Token: SeDebugPrivilege	1900	services.exe
Token: SeDebugPrivilege	1540	services.exe
Token: SeDebugPrivilege	1816	services.exe
Token: SeDebugPrivilege	2572	services.exe
Token: SeDebugPrivilege	5652	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3412a52e0cc2e4a1e876eb8bcc416e79a0a2e5992b0972b4eece8292a4595885.exeWScript.execmd.exeDllCommonsvc.execmd.exeservices.exeservices.execmd.exeservices.execmd.exeservices.exe

description	pid	process	target process
PID 4676 wrote to memory of 4160	4676	3412a52e0cc2e4a1e876eb8bcc416e79a0a2e5992b0972b4eece8292a4595885.exe	WScript.exe
PID 4676 wrote to memory of 4160	4676	3412a52e0cc2e4a1e876eb8bcc416e79a0a2e5992b0972b4eece8292a4595885.exe	WScript.exe
PID 4676 wrote to memory of 4160	4676	3412a52e0cc2e4a1e876eb8bcc416e79a0a2e5992b0972b4eece8292a4595885.exe	WScript.exe
PID 4160 wrote to memory of 2260	4160	WScript.exe	cmd.exe
PID 4160 wrote to memory of 2260	4160	WScript.exe	cmd.exe
PID 4160 wrote to memory of 2260	4160	WScript.exe	cmd.exe
PID 2260 wrote to memory of 2756	2260	cmd.exe	DllCommonsvc.exe
PID 2260 wrote to memory of 2756	2260	cmd.exe	DllCommonsvc.exe
PID 2756 wrote to memory of 2348	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 2348	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 3128	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 3128	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 4840	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 4840	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 1672	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 1672	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 4852	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 4852	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 3012	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 3012	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 1008	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 1008	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 5064	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 5064	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 1976	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 1976	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 4796	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 4796	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 4680	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 4680	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 4676	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 4676	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 4164	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 4164	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 2984	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 2984	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 4072	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 4072	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 1824	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 1824	2756	DllCommonsvc.exe	powershell.exe
PID 2756 wrote to memory of 4592	2756	cmd.exe	powershell.exe
PID 2756 wrote to memory of 4592	2756	cmd.exe	powershell.exe
PID 2756 wrote to memory of 224	2756	cmd.exe	services.exe
PID 2756 wrote to memory of 224	2756	cmd.exe	services.exe
PID 224 wrote to memory of 2756	224	services.exe	cmd.exe
PID 224 wrote to memory of 2756	224	services.exe	cmd.exe
PID 2756 wrote to memory of 4280	2756	cmd.exe	w32tm.exe
PID 2756 wrote to memory of 4280	2756	cmd.exe	w32tm.exe
PID 2756 wrote to memory of 4376	2756	cmd.exe	services.exe
PID 2756 wrote to memory of 4376	2756	cmd.exe	services.exe
PID 4376 wrote to memory of 3120	4376	services.exe	cmd.exe
PID 4376 wrote to memory of 3120	4376	services.exe	cmd.exe
PID 3120 wrote to memory of 3640	3120	cmd.exe	w32tm.exe
PID 3120 wrote to memory of 3640	3120	cmd.exe	w32tm.exe
PID 3120 wrote to memory of 1596	3120	cmd.exe	services.exe
PID 3120 wrote to memory of 1596	3120	cmd.exe	services.exe
PID 1596 wrote to memory of 5436	1596	services.exe	cmd.exe
PID 1596 wrote to memory of 5436	1596	services.exe	cmd.exe
PID 5436 wrote to memory of 4288	5436	cmd.exe	w32tm.exe
PID 5436 wrote to memory of 4288	5436	cmd.exe	w32tm.exe
PID 5436 wrote to memory of 1188	5436	cmd.exe	services.exe
PID 5436 wrote to memory of 1188	5436	cmd.exe	services.exe
PID 1188 wrote to memory of 5892	1188	services.exe	cmd.exe
PID 1188 wrote to memory of 5892	1188	services.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3412a52e0cc2e4a1e876eb8bcc416e79a0a2e5992b0972b4eece8292a4595885.exe
"C:\Users\Admin\AppData\Local\Temp\3412a52e0cc2e4a1e876eb8bcc416e79a0a2e5992b0972b4eece8292a4595885.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\RuntimeBroker.exe'
        5⤵
        
        PID:4796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\SearchApp.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\es-ES\System.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
    - - C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4280
        
        C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3640
        
        C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4288
        
        C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"
        12⤵
        
        PID:5892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1672
        
        C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"
        14⤵
        
        PID:1272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:5592
        
        C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"
        16⤵
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:5160
        
        C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"
        18⤵
        
        PID:5164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3804
        
        C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"
        20⤵
        
        PID:4120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2064
        
        C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"
        22⤵
        
        PID:5828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:5212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
588e5b3406537204588ef39f4c84259f

SHA1
c6056b8139c0796cc6272b7b71fca2085f62b785

SHA256
3b7e7c56deb0f16483d67e60a42a5f0a58ee557790fe0f312d036e4ecc31f7f0

SHA512
f85ea8f8f0c3ea56840a84f42a188f125c13cea8b23f86ddcce8eb28758e816dd6d871154dfe63d250ef369b153f72c587a7a8bccd0a2728b7bc922dd7436e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat

Filesize
199B

MD5
809304d18092c233b78e247a02e02456

SHA1
8ff4b8b827142cf1a655a86cd8fa46e3fdb2caf8

SHA256
3fc5aec91701c01001568958aec1819563aab7c5b7e530f6f5773f73fd8c5ac7

SHA512
5b6e8eefba39de8d64ec56685f2238f11f6bdd23c76e785852ec6dc186bd45607fae16bb623bc5feea061d51051327c353ec18555f188835b997ce1385a321b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat

Filesize
199B

MD5
4aab188058d1268ee344736439ed4b54

SHA1
faaa4492eae1f04e30afe7ffad468d1a2214363c

SHA256
9329cdb616e20442b0e1c088fe1601fc200558dabc290fef9c3596ebf9dfbe6f

SHA512
303ff06a6fb609c3b84431af07e04925f2cb4bc571ae597c8f9e4731da8944cc47c5dedf9cf3e168862fed02f9d3f46d6d0dfd0ba1a0ce43d1320435f8044630

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat

Filesize
199B

MD5
524f283384c7036d2b159cd3de72dfa5

SHA1
eb3564095d358815bc2db8c79387f430f6d5f8c0

SHA256
c62848d5b5e0990437d48dce23854368db887db4cba436b630014a4fe638423e

SHA512
043219bef99d798aa7c2d5a76085d13a5c1cd1d097e49d5d777366b44bd89f5eacefb019cd0b290d1b0cf17489b4fcb6584dcfd8be250f2342cb4673b123e02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat

Filesize
199B

MD5
931e3d371903438540ff866165f59f4a

SHA1
82d5b519c1ac79cfe770fdf5b4547a77c2c586ca

SHA256
98c32bc11a17e99b311083653cc45d7ef7b2d278e5688d288d6026eada78e479

SHA512
24a60e695746473a7f52fe1137bb4265a83e093e3c0fa3d3683af5587c59a1132cbb00d8f46dae63fd52fd23c6a3ad0952a86dfbc75f3bdcf37ee3d30551268f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat

Filesize
199B

MD5
98a9bff8d217114416cf748cc0700d6d

SHA1
8f03e0590a5532a0e7799f88dd65a444d8e5ef10

SHA256
f1679e4873c9238746cbc466040dd6ca793dd3cc1278713e2d299c6ae5ffeed4

SHA512
be0509e071d44553179a0bdcf1d270ad21e64e005903460d7aca9438f9e74502dcd1e40a32035227d03c95192c62008a49a929ca3aae192a664dd5f27692b817

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat

Filesize
199B

MD5
98a9bff8d217114416cf748cc0700d6d

SHA1
8f03e0590a5532a0e7799f88dd65a444d8e5ef10

SHA256
f1679e4873c9238746cbc466040dd6ca793dd3cc1278713e2d299c6ae5ffeed4

SHA512
be0509e071d44553179a0bdcf1d270ad21e64e005903460d7aca9438f9e74502dcd1e40a32035227d03c95192c62008a49a929ca3aae192a664dd5f27692b817

Download Submit
C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat

Filesize
199B

MD5
60159919d7833a8d2d1a155f640c42de

SHA1
2567e7d99d691035527ea7c9ed934587a4ce1c07

SHA256
2f9f5d323bddb84e4bee7fe4cb63af7aa7766dfae324204c244d21fc12a24709

SHA512
e076dbbd920a9dd8b0ca3ca764ee355af1d0be955be064df0860b33c23f9365fdc900102b2c2d99f3855ce9732228c6747014d8fceeb2050ec3cf3dfcc8f0c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat

Filesize
199B

MD5
4dfe2c1ecdc258b42eb872347bcc1d32

SHA1
18f03042289c9997ad35d271d16a894fbf037d35

SHA256
c8eecb41afc36b64fe88d8d8768bdbab2224892806216e1e3317bcb53434061b

SHA512
7e05dd6252daef1227ad12e0e3cc5f2f10862d3d64792239a6b8548b662f82485284fcd2d5a9f80d7e70d448d09b69449b23a8ce9cf7ea4ab5c6705257821289

Download Submit
C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat

Filesize
199B

MD5
8824c7951172ee0a90bf2f4f01361c6c

SHA1
ac0dc8f05f2950384fddd4e154875142f0f33685

SHA256
9dee2fc482c30ca55bbbbb6ff71477903e58538f1049f8ab40a24bdc2c185fc7

SHA512
d39b0d65311f268547d31afd2487e6d3445b2ef041c5dd98e1123e061ebb3b8729c230c1d4668cc2b0add5c06587abdfd7516591d144a7354cf802d736d8db3a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/224-166-0x0000000000000000-mapping.dmp

Download
memory/224-179-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/224-215-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/1008-195-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/1008-163-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/1008-147-0x0000000000000000-mapping.dmp

Download
memory/1188-238-0x00007FFC3A190000-0x00007FFC3AC51000-memory.dmp

Filesize
10.8MB

Download
memory/1188-232-0x0000000000000000-mapping.dmp

Download
memory/1188-234-0x00007FFC3A190000-0x00007FFC3AC51000-memory.dmp

Filesize
10.8MB

Download
memory/1272-242-0x0000000000000000-mapping.dmp

Download
memory/1540-252-0x00007FFC3A240000-0x00007FFC3AD01000-memory.dmp

Filesize
10.8MB

Download
memory/1540-246-0x0000000000000000-mapping.dmp

Download
memory/1540-248-0x00007FFC3A240000-0x00007FFC3AD01000-memory.dmp

Filesize
10.8MB

Download
memory/1596-231-0x00007FFC3A190000-0x00007FFC3AC51000-memory.dmp

Filesize
10.8MB

Download
memory/1596-227-0x00007FFC3A190000-0x00007FFC3AC51000-memory.dmp

Filesize
10.8MB

Download
memory/1596-224-0x0000000000000000-mapping.dmp

Download
memory/1596-226-0x00007FFC3A190000-0x00007FFC3AC51000-memory.dmp

Filesize
10.8MB

Download
memory/1672-157-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/1672-186-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/1672-237-0x0000000000000000-mapping.dmp

Download
memory/1672-144-0x0000000000000000-mapping.dmp

Download
memory/1816-255-0x00007FFC3A240000-0x00007FFC3AD01000-memory.dmp

Filesize
10.8MB

Download
memory/1816-259-0x00007FFC3A240000-0x00007FFC3AD01000-memory.dmp

Filesize
10.8MB

Download
memory/1816-253-0x0000000000000000-mapping.dmp

Download
memory/1824-159-0x0000000000000000-mapping.dmp

Download
memory/1824-208-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/1824-167-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/1900-245-0x00007FFC3A190000-0x00007FFC3AC51000-memory.dmp

Filesize
10.8MB

Download
memory/1900-239-0x0000000000000000-mapping.dmp

Download
memory/1900-241-0x00007FFC3A190000-0x00007FFC3AC51000-memory.dmp

Filesize
10.8MB

Download
memory/1976-175-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/1976-149-0x0000000000000000-mapping.dmp

Download
memory/1976-199-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/2064-265-0x0000000000000000-mapping.dmp

Download
memory/2260-135-0x0000000000000000-mapping.dmp

Download
memory/2348-189-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/2348-150-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/2348-141-0x0000000000000000-mapping.dmp

Download
memory/2348-162-0x00000287F3130000-0x00000287F3152000-memory.dmp

Filesize
136KB

Download
memory/2468-249-0x0000000000000000-mapping.dmp

Download
memory/2572-262-0x00007FFC3A240000-0x00007FFC3AD01000-memory.dmp

Filesize
10.8MB

Download
memory/2572-266-0x00007FFC3A240000-0x00007FFC3AD01000-memory.dmp

Filesize
10.8MB

Download
memory/2572-260-0x0000000000000000-mapping.dmp

Download
memory/2756-136-0x0000000000000000-mapping.dmp

Download
memory/2756-139-0x0000000000A40000-0x0000000000B50000-memory.dmp

Filesize
1.1MB

Download
memory/2756-140-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/2756-212-0x0000000000000000-mapping.dmp

Download
memory/2756-171-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/2984-156-0x0000000000000000-mapping.dmp

Download
memory/2984-204-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/2984-177-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/3012-146-0x0000000000000000-mapping.dmp

Download
memory/3012-160-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/3012-188-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/3120-220-0x0000000000000000-mapping.dmp

Download
memory/3128-153-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/3128-142-0x0000000000000000-mapping.dmp

Download
memory/3128-187-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/3640-222-0x0000000000000000-mapping.dmp

Download
memory/3804-258-0x0000000000000000-mapping.dmp

Download
memory/4072-158-0x0000000000000000-mapping.dmp

Download
memory/4072-178-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/4072-209-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/4120-263-0x0000000000000000-mapping.dmp

Download
memory/4160-132-0x0000000000000000-mapping.dmp

Download
memory/4164-155-0x0000000000000000-mapping.dmp

Download
memory/4164-165-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/4164-197-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/4280-214-0x0000000000000000-mapping.dmp

Download
memory/4288-230-0x0000000000000000-mapping.dmp

Download
memory/4376-216-0x0000000000000000-mapping.dmp

Download
memory/4376-223-0x00007FFC3A130000-0x00007FFC3ABF1000-memory.dmp

Filesize
10.8MB

Download
memory/4376-219-0x00007FFC3A130000-0x00007FFC3ABF1000-memory.dmp

Filesize
10.8MB

Download
memory/4592-170-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/4592-211-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/4592-161-0x0000000000000000-mapping.dmp

Download
memory/4676-154-0x0000000000000000-mapping.dmp

Download
memory/4676-207-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/4676-164-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/4680-176-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/4680-206-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/4680-152-0x0000000000000000-mapping.dmp

Download
memory/4796-151-0x0000000000000000-mapping.dmp

Download
memory/4840-192-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/4840-143-0x0000000000000000-mapping.dmp

Download
memory/4840-172-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/4852-193-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/4852-173-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/4852-145-0x0000000000000000-mapping.dmp

Download
memory/5064-148-0x0000000000000000-mapping.dmp

Download
memory/5064-191-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/5064-174-0x00007FFC3A940000-0x00007FFC3B401000-memory.dmp

Filesize
10.8MB

Download
memory/5160-251-0x0000000000000000-mapping.dmp

Download
memory/5164-256-0x0000000000000000-mapping.dmp

Download
memory/5212-272-0x0000000000000000-mapping.dmp

Download
memory/5436-228-0x0000000000000000-mapping.dmp

Download
memory/5592-244-0x0000000000000000-mapping.dmp

Download
memory/5652-267-0x0000000000000000-mapping.dmp

Download
memory/5652-269-0x00007FFC3A240000-0x00007FFC3AD01000-memory.dmp

Filesize
10.8MB

Download
memory/5652-273-0x00007FFC3A240000-0x00007FFC3AD01000-memory.dmp

Filesize
10.8MB

Download
memory/5828-270-0x0000000000000000-mapping.dmp

Download
memory/5892-235-0x0000000000000000-mapping.dmp

Download