dcrat | c9980e830a3edc2737c17dbdc7079eee3a3d5124dca728f8b795e41e80154ac9

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c9980e830a3edc2737c17dbdc7079eee3a3d5124dca728f8b795e41e80154ac9.exe
Size

1.3MB
MD5

6f5d4af2281025b5d272b9657dc2b220
SHA1

58974c865c09b3884ca6e76345c5b234c1d557d0
SHA256

c9980e830a3edc2737c17dbdc7079eee3a3d5124dca728f8b795e41e80154ac9
SHA512

1c065f7cc0a87f03d6862320ad61918c179eba082cb360043a0f7378b5b0d4235f3f6a07b8049cca03d246a1b8c2715319e3dfdf3aa98d4039753d593d4df10c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2860	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2860	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c51-10.dat	dcrat
behavioral1/memory/2956-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp	dcrat
behavioral1/memory/1600-150-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/3064-210-0x0000000001360000-0x0000000001470000-memory.dmp	dcrat
behavioral1/memory/572-271-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/1248-331-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/memory/352-391-0x0000000000D30000-0x0000000000E40000-memory.dmp	dcrat
behavioral1/memory/2612-451-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/1084-511-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat
behavioral1/memory/3052-630-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/2708-690-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2756	powershell.exe
2616	powershell.exe
1840	powershell.exe
2116	powershell.exe
2328	powershell.exe
2824	powershell.exe
2808	powershell.exe
2088	powershell.exe
2400	powershell.exe
2692	powershell.exe
2340	powershell.exe
2888	powershell.exe
2656	powershell.exe
2772	powershell.exe
2100	powershell.exe
2188	powershell.exe
2272	powershell.exe
2416	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2956	DllCommonsvc.exe
1600	lsass.exe
3064	lsass.exe
572	lsass.exe
1248	lsass.exe
352	lsass.exe
2612	lsass.exe
1084	lsass.exe
3008	lsass.exe
3052	lsass.exe
2708	lsass.exe
2776	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2332	cmd.exe
2332	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
40	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
37	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\ja-JP\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\ja-JP\dwm.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\ShellNew\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\ShellNew\24dbde2999530e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c9980e830a3edc2737c17dbdc7079eee3a3d5124dca728f8b795e41e80154ac9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2908	schtasks.exe
2648	schtasks.exe
2592	schtasks.exe
2352	schtasks.exe
2672	schtasks.exe
1608	schtasks.exe
2580	schtasks.exe
2124	schtasks.exe
2308	schtasks.exe
1120	schtasks.exe
1768	schtasks.exe
2356	schtasks.exe
2784	schtasks.exe
584	schtasks.exe
1504	schtasks.exe
448	schtasks.exe
3052	schtasks.exe
2708	schtasks.exe
900	schtasks.exe
2336	schtasks.exe
2572	schtasks.exe
3056	schtasks.exe
1520	schtasks.exe
2160	schtasks.exe
1860	schtasks.exe
1644	schtasks.exe
2152	schtasks.exe
2664	schtasks.exe
1876	schtasks.exe
1224	schtasks.exe
752	schtasks.exe
268	schtasks.exe
3068	schtasks.exe
1992	schtasks.exe
2236	schtasks.exe
1272	schtasks.exe
1780	schtasks.exe
1612	schtasks.exe
2276	schtasks.exe
1572	schtasks.exe
2280	schtasks.exe
1380	schtasks.exe
296	schtasks.exe
1872	schtasks.exe
280	schtasks.exe
2980	schtasks.exe
1484	schtasks.exe
2948	schtasks.exe
1692	schtasks.exe
1396	schtasks.exe
1416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2956	DllCommonsvc.exe
2956	DllCommonsvc.exe
2956	DllCommonsvc.exe
2888	powershell.exe
2416	powershell.exe
2328	powershell.exe
2772	powershell.exe
2116	powershell.exe
2272	powershell.exe
2188	powershell.exe
2656	powershell.exe
2756	powershell.exe
2808	powershell.exe
2100	powershell.exe
2692	powershell.exe
2400	powershell.exe
2088	powershell.exe
2824	powershell.exe
2340	powershell.exe
1840	powershell.exe
2616	powershell.exe
1600	lsass.exe
3064	lsass.exe
572	lsass.exe
1248	lsass.exe
352	lsass.exe
2612	lsass.exe
1084	lsass.exe
3008	lsass.exe
3052	lsass.exe
2708	lsass.exe
2776	lsass.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	DllCommonsvc.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1600	lsass.exe
Token: SeDebugPrivilege	3064	lsass.exe
Token: SeDebugPrivilege	572	lsass.exe
Token: SeDebugPrivilege	1248	lsass.exe
Token: SeDebugPrivilege	352	lsass.exe
Token: SeDebugPrivilege	2612	lsass.exe
Token: SeDebugPrivilege	1084	lsass.exe
Token: SeDebugPrivilege	3008	lsass.exe
Token: SeDebugPrivilege	3052	lsass.exe
Token: SeDebugPrivilege	2708	lsass.exe
Token: SeDebugPrivilege	2776	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1240	2504	JaffaCakes118_c9980e830a3edc2737c17dbdc7079eee3a3d5124dca728f8b795e41e80154ac9.exe	30
PID 2504 wrote to memory of 1240	2504	JaffaCakes118_c9980e830a3edc2737c17dbdc7079eee3a3d5124dca728f8b795e41e80154ac9.exe	30
PID 2504 wrote to memory of 1240	2504	JaffaCakes118_c9980e830a3edc2737c17dbdc7079eee3a3d5124dca728f8b795e41e80154ac9.exe	30
PID 2504 wrote to memory of 1240	2504	JaffaCakes118_c9980e830a3edc2737c17dbdc7079eee3a3d5124dca728f8b795e41e80154ac9.exe	30
PID 1240 wrote to memory of 2332	1240	WScript.exe	31
PID 1240 wrote to memory of 2332	1240	WScript.exe	31
PID 1240 wrote to memory of 2332	1240	WScript.exe	31
PID 1240 wrote to memory of 2332	1240	WScript.exe	31
PID 2332 wrote to memory of 2956	2332	cmd.exe	33
PID 2332 wrote to memory of 2956	2332	cmd.exe	33
PID 2332 wrote to memory of 2956	2332	cmd.exe	33
PID 2332 wrote to memory of 2956	2332	cmd.exe	33
PID 2956 wrote to memory of 2888	2956	DllCommonsvc.exe	86
PID 2956 wrote to memory of 2888	2956	DllCommonsvc.exe	86
PID 2956 wrote to memory of 2888	2956	DllCommonsvc.exe	86
PID 2956 wrote to memory of 2340	2956	DllCommonsvc.exe	87
PID 2956 wrote to memory of 2340	2956	DllCommonsvc.exe	87
PID 2956 wrote to memory of 2340	2956	DllCommonsvc.exe	87
PID 2956 wrote to memory of 2416	2956	DllCommonsvc.exe	88
PID 2956 wrote to memory of 2416	2956	DllCommonsvc.exe	88
PID 2956 wrote to memory of 2416	2956	DllCommonsvc.exe	88
PID 2956 wrote to memory of 2692	2956	DllCommonsvc.exe	89
PID 2956 wrote to memory of 2692	2956	DllCommonsvc.exe	89
PID 2956 wrote to memory of 2692	2956	DllCommonsvc.exe	89
PID 2956 wrote to memory of 2400	2956	DllCommonsvc.exe	91
PID 2956 wrote to memory of 2400	2956	DllCommonsvc.exe	91
PID 2956 wrote to memory of 2400	2956	DllCommonsvc.exe	91
PID 2956 wrote to memory of 2272	2956	DllCommonsvc.exe	93
PID 2956 wrote to memory of 2272	2956	DllCommonsvc.exe	93
PID 2956 wrote to memory of 2272	2956	DllCommonsvc.exe	93
PID 2956 wrote to memory of 2188	2956	DllCommonsvc.exe	94
PID 2956 wrote to memory of 2188	2956	DllCommonsvc.exe	94
PID 2956 wrote to memory of 2188	2956	DllCommonsvc.exe	94
PID 2956 wrote to memory of 2116	2956	DllCommonsvc.exe	95
PID 2956 wrote to memory of 2116	2956	DllCommonsvc.exe	95
PID 2956 wrote to memory of 2116	2956	DllCommonsvc.exe	95
PID 2956 wrote to memory of 2100	2956	DllCommonsvc.exe	96
PID 2956 wrote to memory of 2100	2956	DllCommonsvc.exe	96
PID 2956 wrote to memory of 2100	2956	DllCommonsvc.exe	96
PID 2956 wrote to memory of 2088	2956	DllCommonsvc.exe	97
PID 2956 wrote to memory of 2088	2956	DllCommonsvc.exe	97
PID 2956 wrote to memory of 2088	2956	DllCommonsvc.exe	97
PID 2956 wrote to memory of 1840	2956	DllCommonsvc.exe	98
PID 2956 wrote to memory of 1840	2956	DllCommonsvc.exe	98
PID 2956 wrote to memory of 1840	2956	DllCommonsvc.exe	98
PID 2956 wrote to memory of 2808	2956	DllCommonsvc.exe	99
PID 2956 wrote to memory of 2808	2956	DllCommonsvc.exe	99
PID 2956 wrote to memory of 2808	2956	DllCommonsvc.exe	99
PID 2956 wrote to memory of 2756	2956	DllCommonsvc.exe	100
PID 2956 wrote to memory of 2756	2956	DllCommonsvc.exe	100
PID 2956 wrote to memory of 2756	2956	DllCommonsvc.exe	100
PID 2956 wrote to memory of 2824	2956	DllCommonsvc.exe	101
PID 2956 wrote to memory of 2824	2956	DllCommonsvc.exe	101
PID 2956 wrote to memory of 2824	2956	DllCommonsvc.exe	101
PID 2956 wrote to memory of 2616	2956	DllCommonsvc.exe	102
PID 2956 wrote to memory of 2616	2956	DllCommonsvc.exe	102
PID 2956 wrote to memory of 2616	2956	DllCommonsvc.exe	102
PID 2956 wrote to memory of 2328	2956	DllCommonsvc.exe	103
PID 2956 wrote to memory of 2328	2956	DllCommonsvc.exe	103
PID 2956 wrote to memory of 2328	2956	DllCommonsvc.exe	103
PID 2956 wrote to memory of 2772	2956	DllCommonsvc.exe	104
PID 2956 wrote to memory of 2772	2956	DllCommonsvc.exe	104
PID 2956 wrote to memory of 2772	2956	DllCommonsvc.exe	104
PID 2956 wrote to memory of 2656	2956	DllCommonsvc.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9980e830a3edc2737c17dbdc7079eee3a3d5124dca728f8b795e41e80154ac9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9980e830a3edc2737c17dbdc7079eee3a3d5124dca728f8b795e41e80154ac9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Pictures\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UEBpdI9yp4.bat"
        5⤵
        
        PID:2360
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2564
      - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"
        7⤵
        
        PID:2472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1604
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"
        9⤵
        
        PID:2188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2044
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"
        11⤵
        
        PID:1516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1968
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"
        13⤵
        
        PID:2848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2736
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
        15⤵
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1596
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat"
        17⤵
        
        PID:1008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2564
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"
        19⤵
        
        PID:2768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1180
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat"
        21⤵
        
        PID:1284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3016
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"
        23⤵
        
        PID:2932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1240
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"
        25⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1912
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
        27⤵
        
        PID:1228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellNew\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ShellNew\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellNew\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Documents\My Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e13c2dcd6dac301277be85407b9a5c91

SHA1
511818eab21422892b89df66cdc4b87a5d311a62

SHA256
d6916bdfe58218f79e863bbbae109354417bc1cd8d022603e98dbbee99e75def

SHA512
3b297b0a82f9b8522d1abc6cd57360e1f03a2863aa1acccc9830b40b499352d9f79e206a33461cbcc115b3ece8c48a60ae638abd32644a54ec5185c1e5b0db4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cf9a5c509c033efa02437719acaed79

SHA1
9186e136ce3999f1ae944ecff9991e1a60c38a4b

SHA256
91b2ea13d0a87f36730e01ff6459f85efc7b15f86650c8daab9c3cde77e74404

SHA512
928e30592890afd174bac30506215c7784f9ad5b6e7edc28a37a41fbe695a98a78ed1c4d47577d9274c065cc14fe3c8bfdb05ab3ed818806dd1439ea9346506b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd411b6b651a69c9d49c2d070d88ba02

SHA1
1461bd50271af306fcc1985d7a644383e55fd028

SHA256
3d974eecc0df36a4dc6cbb3f8a92f64ef4930951d18ca315d67d500cde744830

SHA512
443e0c8ab4f3b95e232899dc80e33e46e34d01867311ca06f2bb68e3655e074ad52ee22803a6e5c0d9ea11266627d9b617889ad75ed571a51168f20bf49d3f14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
130312d96954240e9e626472c8923204

SHA1
bddd9a22fb3b90bb2dccc64ae15269cbd7d98590

SHA256
f4bd3c4c9f6614e26707a6e373b39f204072031aa2fe5b94921d0dc8837ca443

SHA512
c68166468b3b3c687104641d5b3ab00b92207581f1a9bf602a70690e4a4a83808f9f85c42aee998270bfcc24ca2b60e7fbf4e824d2d5e1d57e43ce050375e0ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37314c9e8b5993b651027ef9e5ba1955

SHA1
3e6736c99d1469bd6e46541629cd07b5c1c9cae2

SHA256
03cd6f5ce59d6392f030e02ad1a61997d0754c22f0681d7442d110ccb81744d9

SHA512
e04faa6b431470feffb94f92a96e98e06c1f19fcc2925f47abac49ea0828dc6a68e569752099d2ee811467eac00d94f71fc5f6cdb3c1e8a0ce459520402d1701

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81b0c834b280984f6f80776ea6f6c98a

SHA1
9ed1c895d24121ab1bd4ea21788c9ae711af862d

SHA256
92900781ae257c95d8b867ef0e2c2983dd887ad93f14162666d5cbc462b8e118

SHA512
146bf5a74ee8edd215e20b921ff4e6ac83f62b85353974afcff0f3f1e6ed236cef1c15a167c78fae6ea299c0d78a45cf104f96d07b79f49b2d75b59223a42482

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acba3b96163dc4f144f051e7a81763a5

SHA1
cbff72f4e666ce6340cd880d1f81d484d73396d0

SHA256
35729d9ba786a69d929938a3d815bdac37b63bfe5102347c1d43488d2c9c64b9

SHA512
7916f1e1d47a9a0131363bc169ef4b8a4740f33cee226517e2a59ecef1e12070bfc226bc1a8bc9973d50d8089aecd851d67ee6b1e94faf3f37a4f7a4884bd224

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35aa0644aabc8ff38bc78c0151d9a2a7

SHA1
8c4720d777359a8ecdb2f1a7f2ad47dff4bd8b5d

SHA256
eceee243257659cca93b96a323505102d99064aeb35b3bd801bb7b3bba1709ba

SHA512
def8a03442bd3aae2e81b117f1b6b5776e1a542ced5781c3b2e85b2eda5de9e9a6a16f4eb1eb4639cb60ae16e216e4c3101e1ae595d4e3df4633e0192639abb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94b9bd469ffe35fedc354180106cbe47

SHA1
d0abc2bc289054fdb2912f0854f6858acf10b965

SHA256
2247a51d46e0edfa5929f515c572c0e229784b7d6bfd34282be838f4e7b5843b

SHA512
075a69c2c803bac2edefcb87127ec98d84794052b1121d3100eae6bff58896e2a4a3a41347e11c95ea5d9a6ba62989dff05a27558e94080172e32bd33dd2596a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6dccf597f4e26d4dfe1e700c344e987b

SHA1
3f188ed98db1cfb86f0c7243548424d2949394f6

SHA256
5d226c4a886993a7d71dfdcdffbfdc4ebe06ec4d9699038c971414b4c60617ed

SHA512
823369135f2dbd70ca42b2ea910d80413a2ae77ffbaef6eb6afa4a466fc529132a57ec2f4aa346a9f6563b21648e0e4b4ffc1f89ec96ef1b0e9c9362ff9e5827

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

Filesize
237B

MD5
3db0e9bcec1a4982dd6b7d696fd66004

SHA1
80e5718a2d67f17c1de9b43761b6855debe9b8ed

SHA256
d88e992a74006e27f24881b8d199acbe2deed1bffb2f9233020722765f360e87

SHA512
b2bade45186704bf34751b3017599f9ee735cd4446952144a344f6d84465e7a7759b1b65cae1fc3cc2030949a76e19c43f63a0f47481f4a87aa388c6e857e950

Download Submit
C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat

Filesize
237B

MD5
05c630b18766f9f246c28c84be726a14

SHA1
1c24f1fae63f3894fc5c9250a209ec8a3f74e127

SHA256
1b4adf0e1ed99065519ab2d964b90f67e2706a179258431ad347e90895bfe26f

SHA512
e4913a9e0f9fab60f0aae79f185a82cf9e058c7c5bdd3434c5e9ebadf3f99c1aade89327176529e1e53709d16c993a3b73b34faa1e2ac22696af8cc7d5866675

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF559.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat

Filesize
237B

MD5
b46124e0197ca64e046b3675357c6891

SHA1
33dde6b5aa47ce7ea79bdfe3e9c0e63a7226e6c9

SHA256
87e6c52063667a184a323ccf89cafe624aa7b2b287ba049246e6bed5ccad75fe

SHA512
bfc124e32bcc1e39221a4620a712ca48c02b31b2eeb599cf808fdb439a703b7c59a06de6cbceeaae0d076addb8fc9f22cdba58906f54c02bd767603a0b42bfea

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat

Filesize
237B

MD5
5eebefdae0b2708876831d1a8c957457

SHA1
c731aea334da6363b56afaa3638eb6d7f42dc53d

SHA256
434e68311bf6f1f2b649ea18fb597dc00cdc9acef35c07475e8c4991f4a7eb15

SHA512
511e88911dcfe17c0eb75152900986d74cef7740943e6fb3509257658038af23fc9847376fd9b6a6df2f7770895ad86324dd5e12eb938bc2bba2511148287353

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat

Filesize
237B

MD5
efdc0ed57eff9ddfc1aee2a2878fc7bb

SHA1
3dea6882eeb4f82e2e604a236aa7b2c8709f779e

SHA256
b80d79481362a126eafc3710bc3f71ca029339b094b21fca6bebeaea3d978c72

SHA512
beeb2e557ae58ba49beffbd8e89263d57fcb9e8b25f5ad64701aaacd26c5786326fe8de0a0249d54644de3a9b9ca5b2efc00b3828664e8087a508bb29809ea53

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat

Filesize
237B

MD5
f91d2d4131eeecf09474152b4ef5aecf

SHA1
411c83b946f627c5595e756a6c123a798754a1c4

SHA256
90c72f4993c470965e162daa5fd166de02f7b9257daddaf4eca1f5eea0b800da

SHA512
d89d720161f182846e70c40a684c1baf257ac97992ce7922353acad595688af99d039854f1df965f5fd16af88d5daa07f516f765bb58c954afb7325a9e4a37a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

Filesize
237B

MD5
48b73c7fdf6d656042011b135978c500

SHA1
093e147612ae1ba5ef91c6ef532142abf9cd272e

SHA256
140d806c6c30f6cc237dfa1819008d9cdab5345551cb0686b4cfa384fec082a3

SHA512
bb88ece190b8218410de97c1067e1887ffdbd7f63eabee6fdc9de53a2b72205a24d9e66efb5ba54fba271f2dd3853d4959649011fdd3f3973d1a7d9605267b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat

Filesize
237B

MD5
11a33f2028803f8fd3ef3abc5846e70d

SHA1
3a1904779a430ab38d4a204f99c6a79a223b3cc1

SHA256
d03535be2dfe8b3df4076fdafc05e749af4b1fb7653c2d655a0e5397ceba7da2

SHA512
89d47010e73bf1ccec9e59d3a9f773c476d1d663fa078f29f0ec80bd53b670cf972554d902413c15559bd553c46131e2d285c1377a3a6ed8f56d832b72524cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF57B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEBpdI9yp4.bat

Filesize
237B

MD5
4ab4ffc925c26cf18929a221b1d68d96

SHA1
7b57e77df20b379a23e2ce8ec7e1a023e69005e9

SHA256
193876f470a164fbfc575fbd21c7b3bba26b2a80a37cc6ef5dfef8dd477a8ef1

SHA512
de67261e5787bd0a12aebf00fb56196831495f87ea8da8859cf8b652208121e582b6a7bb5480a8d0aee81910bb8a5aa2d5b3ad20eaba859657c4a2221a056553

Download Submit
C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat

Filesize
237B

MD5
366e851a558c21e746a8a85d9d81ecb2

SHA1
64d7b134fa35c16e948de9654fc35b3d829acf56

SHA256
a6185fab985fa4820fc86e2b603dcd584f4c9beae4f9004356c44b3ff5e61cf6

SHA512
f43bd2bbd7a573cbed65fbf084beb708c9aee2daae96379ecb1c6475925bc8f95be27cacde23695d0a4e72dce7e99a3da4adee0509ae941504334c6fbb796060

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat

Filesize
237B

MD5
f40bea3191af556840e8be1b7d767411

SHA1
119ed61ef980022218d090999eacd10894607a46

SHA256
15c2f405671d0e26262091c9c839d972e79bf1f3ad693b7ac23bf7b8e0c0bb46

SHA512
3adb080ab91abef5fa8eee0881d08ae5e0f26020bb333c53bb836c2288a95af6a2f61b67d65d9cc57ec1b849ee44964c2a6b43a67a05639ae5a9e4dae4fe82d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat

Filesize
237B

MD5
af9fe436d6b9e09662d8f823f603955d

SHA1
50d082748b78cca4f528c34670a724aa1831d444

SHA256
b1379c5db600ad479c48c5f8b3c02fd13772bdb1f1d3ba4e087f0e8297d5c962

SHA512
bf1e982b444988734ae9862d1ba6d8ff885a28fdfa97b910e0489ffb47db8143747f5e56a28292ef0e1797a48333db7085c1889b40570fc7124492f24b30d5eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
acff7d068d21b88a455c0cde6d50bf91

SHA1
543849f5599ce5824cfa54b25c69e37f04b0beaf

SHA256
c2ecce048ab05d3273cb0607cb096fab47e6b896b19a54522b48e6ca09081cf9

SHA512
19d6d419b32dd54652f99aa9765abc12604ba67a9a82c1f109785748edfa160c272438a617ea2c2a9a0415a282e5fd3e547257a6cac32c66da7c540e71e589c5

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/352-391-0x0000000000D30000-0x0000000000E40000-memory.dmp

Filesize
1.1MB

Download
memory/572-271-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/1084-511-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download
memory/1248-331-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/1600-150-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/1600-151-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2416-66-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2416-65-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2612-451-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/2708-690-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/2956-15-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/2956-16-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2956-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2956-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

Filesize
1.1MB

Download
memory/2956-17-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/3052-630-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/3064-210-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download
memory/3064-211-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download