dcrat | 2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581

Analysis

max time kernel
146s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01-11-2022 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe
Size

1.3MB
MD5

43242439dc95e17a63c708547b31b90f
SHA1

3449c3cf0bd1f535ddad2f8fbed733d57750ac7c
SHA256

2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581
SHA512

aaa85a6da5f9e0abe19ff3fdf18c38f783315079b7ccd56bcc4228fd23dc46ac94e5d4bd0f39bcce06503aec1c8a5c61243d017bf8331d56de466c1a6bd29de4
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	424	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	4140	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	4140	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001ac18-279.dat	dcrat
behavioral1/files/0x000900000001ac18-280.dat	dcrat
behavioral1/memory/3564-281-0x0000000000A60000-0x0000000000B70000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac2b-604.dat	dcrat
behavioral1/files/0x000600000001ac2b-603.dat	dcrat
behavioral1/files/0x000600000001ac2b-789.dat	dcrat
behavioral1/files/0x000600000001ac2b-796.dat	dcrat
behavioral1/files/0x000600000001ac2b-801.dat	dcrat
behavioral1/files/0x000600000001ac2b-807.dat	dcrat
behavioral1/files/0x000600000001ac2b-812.dat	dcrat
behavioral1/files/0x000600000001ac2b-817.dat	dcrat
behavioral1/files/0x000600000001ac2b-822.dat	dcrat
behavioral1/files/0x000600000001ac2b-827.dat	dcrat
behavioral1/files/0x000600000001ac2b-832.dat	dcrat
behavioral1/files/0x000600000001ac2b-837.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
3564	DllCommonsvc.exe
2140	csrss.exe
2752	csrss.exe
4796	csrss.exe
1184	csrss.exe
2300	csrss.exe
3708	csrss.exe
1376	csrss.exe
4232	csrss.exe
1180	csrss.exe
4144	csrss.exe
4440	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\dab4d89cac03ec	DllCommonsvc.exe
File created	C:\Program Files\Common Files\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\SearchUI.exe	DllCommonsvc.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\assembly\tmp\SearchUI.exe	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Windows\Help\ja-JP\SearchUI.exe	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\Framework\1041\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\Framework\1041\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-nshhttp_31bf3856ad364e35_10.0.15063.0_none_8f15aa6fe1a9e91c\services.exe	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Windows\Help\ja-JP\dab4d89cac03ec	DllCommonsvc.exe
File created	C:\Windows\Help\it-IT\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Help\it-IT\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\assembly\tmp\dab4d89cac03ec	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1336	schtasks.exe
4600	schtasks.exe
1020	schtasks.exe
3988	schtasks.exe
4552	schtasks.exe
3244	schtasks.exe
1532	schtasks.exe
60	schtasks.exe
1908	schtasks.exe
1820	schtasks.exe
32	schtasks.exe
4852	schtasks.exe
4868	schtasks.exe
4684	schtasks.exe
908	schtasks.exe
4584	schtasks.exe
552	schtasks.exe
972	schtasks.exe
1016	schtasks.exe
3184	schtasks.exe
4872	schtasks.exe
1180	schtasks.exe
1604	schtasks.exe
4752	schtasks.exe
3332	schtasks.exe
3200	schtasks.exe
3704	schtasks.exe
4928	schtasks.exe
4708	schtasks.exe
3928	schtasks.exe
4008	schtasks.exe
3312	schtasks.exe
424	schtasks.exe
1708	schtasks.exe
1224	schtasks.exe
3104	schtasks.exe
4932	schtasks.exe
4908	schtasks.exe
4772	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	csrss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3564	DllCommonsvc.exe
3564	DllCommonsvc.exe
3564	DllCommonsvc.exe
3564	DllCommonsvc.exe
3564	DllCommonsvc.exe
3168	powershell.exe
3168	powershell.exe
780	powershell.exe
780	powershell.exe
2372	powershell.exe
2372	powershell.exe
2256	powershell.exe
2256	powershell.exe
2004	powershell.exe
2004	powershell.exe
2752	powershell.exe
2752	powershell.exe
768	powershell.exe
768	powershell.exe
1872	powershell.exe
1872	powershell.exe
2196	powershell.exe
2196	powershell.exe
2688	powershell.exe
2688	powershell.exe
2372	powershell.exe
2752	powershell.exe
4964	powershell.exe
4964	powershell.exe
780	powershell.exe
2196	powershell.exe
4700	powershell.exe
4700	powershell.exe
2004	powershell.exe
2660	powershell.exe
2660	powershell.exe
768	powershell.exe
1872	powershell.exe
2688	powershell.exe
2892	powershell.exe
2892	powershell.exe
2256	powershell.exe
3168	powershell.exe
3168	powershell.exe
2660	powershell.exe
4700	powershell.exe
4964	powershell.exe
2892	powershell.exe
2752	csrss.exe
2004	powershell.exe
2372	powershell.exe
2372	powershell.exe
780	powershell.exe
780	powershell.exe
768	powershell.exe
2196	powershell.exe
2688	powershell.exe
1872	powershell.exe
3168	powershell.exe
2256	powershell.exe
2256	powershell.exe
4700	powershell.exe
2660	powershell.exe
4964	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3564	DllCommonsvc.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeIncreaseQuotaPrivilege	2004	powershell.exe
Token: SeSecurityPrivilege	2004	powershell.exe
Token: SeTakeOwnershipPrivilege	2004	powershell.exe
Token: SeLoadDriverPrivilege	2004	powershell.exe
Token: SeSystemProfilePrivilege	2004	powershell.exe
Token: SeSystemtimePrivilege	2004	powershell.exe
Token: SeProfSingleProcessPrivilege	2004	powershell.exe
Token: SeIncBasePriorityPrivilege	2004	powershell.exe
Token: SeCreatePagefilePrivilege	2004	powershell.exe
Token: SeBackupPrivilege	2004	powershell.exe
Token: SeRestorePrivilege	2004	powershell.exe
Token: SeShutdownPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeSystemEnvironmentPrivilege	2004	powershell.exe
Token: SeRemoteShutdownPrivilege	2004	powershell.exe
Token: SeUndockPrivilege	2004	powershell.exe
Token: SeManageVolumePrivilege	2004	powershell.exe
Token: 33	2004	powershell.exe
Token: 34	2004	powershell.exe
Token: 35	2004	powershell.exe
Token: 36	2004	powershell.exe
Token: SeIncreaseQuotaPrivilege	2752	csrss.exe
Token: SeSecurityPrivilege	2752	csrss.exe
Token: SeTakeOwnershipPrivilege	2752	csrss.exe
Token: SeLoadDriverPrivilege	2752	csrss.exe
Token: SeSystemProfilePrivilege	2752	csrss.exe
Token: SeSystemtimePrivilege	2752	csrss.exe
Token: SeProfSingleProcessPrivilege	2752	csrss.exe
Token: SeIncBasePriorityPrivilege	2752	csrss.exe
Token: SeCreatePagefilePrivilege	2752	csrss.exe
Token: SeBackupPrivilege	2752	csrss.exe
Token: SeRestorePrivilege	2752	csrss.exe
Token: SeShutdownPrivilege	2752	csrss.exe
Token: SeDebugPrivilege	2752	csrss.exe
Token: SeSystemEnvironmentPrivilege	2752	csrss.exe
Token: SeRemoteShutdownPrivilege	2752	csrss.exe
Token: SeUndockPrivilege	2752	csrss.exe
Token: SeManageVolumePrivilege	2752	csrss.exe
Token: 33	2752	csrss.exe
Token: 34	2752	csrss.exe
Token: 35	2752	csrss.exe
Token: 36	2752	csrss.exe
Token: SeDebugPrivilege	2140	csrss.exe
Token: SeIncreaseQuotaPrivilege	780	powershell.exe
Token: SeSecurityPrivilege	780	powershell.exe
Token: SeTakeOwnershipPrivilege	780	powershell.exe
Token: SeLoadDriverPrivilege	780	powershell.exe
Token: SeSystemProfilePrivilege	780	powershell.exe
Token: SeSystemtimePrivilege	780	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 5072	2684	2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe	66
PID 2684 wrote to memory of 5072	2684	2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe	66
PID 2684 wrote to memory of 5072	2684	2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe	66
PID 5072 wrote to memory of 5084	5072	WScript.exe	67
PID 5072 wrote to memory of 5084	5072	WScript.exe	67
PID 5072 wrote to memory of 5084	5072	WScript.exe	67
PID 5084 wrote to memory of 3564	5084	cmd.exe	69
PID 5084 wrote to memory of 3564	5084	cmd.exe	69
PID 3564 wrote to memory of 780	3564	DllCommonsvc.exe	110
PID 3564 wrote to memory of 780	3564	DllCommonsvc.exe	110
PID 3564 wrote to memory of 3168	3564	DllCommonsvc.exe	119
PID 3564 wrote to memory of 3168	3564	DllCommonsvc.exe	119
PID 3564 wrote to memory of 2372	3564	DllCommonsvc.exe	118
PID 3564 wrote to memory of 2372	3564	DllCommonsvc.exe	118
PID 3564 wrote to memory of 2256	3564	DllCommonsvc.exe	112
PID 3564 wrote to memory of 2256	3564	DllCommonsvc.exe	112
PID 3564 wrote to memory of 2004	3564	DllCommonsvc.exe	115
PID 3564 wrote to memory of 2004	3564	DllCommonsvc.exe	115
PID 3564 wrote to memory of 768	3564	DllCommonsvc.exe	113
PID 3564 wrote to memory of 768	3564	DllCommonsvc.exe	113
PID 3564 wrote to memory of 2752	3564	DllCommonsvc.exe	120
PID 3564 wrote to memory of 2752	3564	DllCommonsvc.exe	120
PID 3564 wrote to memory of 1872	3564	DllCommonsvc.exe	139
PID 3564 wrote to memory of 1872	3564	DllCommonsvc.exe	139
PID 3564 wrote to memory of 2196	3564	DllCommonsvc.exe	138
PID 3564 wrote to memory of 2196	3564	DllCommonsvc.exe	138
PID 3564 wrote to memory of 2688	3564	DllCommonsvc.exe	135
PID 3564 wrote to memory of 2688	3564	DllCommonsvc.exe	135
PID 3564 wrote to memory of 4964	3564	DllCommonsvc.exe	134
PID 3564 wrote to memory of 4964	3564	DllCommonsvc.exe	134
PID 3564 wrote to memory of 4700	3564	DllCommonsvc.exe	126
PID 3564 wrote to memory of 4700	3564	DllCommonsvc.exe	126
PID 3564 wrote to memory of 2660	3564	DllCommonsvc.exe	132
PID 3564 wrote to memory of 2660	3564	DllCommonsvc.exe	132
PID 3564 wrote to memory of 2892	3564	DllCommonsvc.exe	129
PID 3564 wrote to memory of 2892	3564	DllCommonsvc.exe	129
PID 3564 wrote to memory of 2852	3564	DllCommonsvc.exe	136
PID 3564 wrote to memory of 2852	3564	DllCommonsvc.exe	136
PID 2852 wrote to memory of 3152	2852	cmd.exe	140
PID 2852 wrote to memory of 3152	2852	cmd.exe	140
PID 2852 wrote to memory of 2140	2852	cmd.exe	141
PID 2852 wrote to memory of 2140	2852	cmd.exe	141
PID 2140 wrote to memory of 3904	2140	csrss.exe	144
PID 2140 wrote to memory of 3904	2140	csrss.exe	144
PID 3904 wrote to memory of 4068	3904	cmd.exe	145
PID 3904 wrote to memory of 4068	3904	cmd.exe	145
PID 3904 wrote to memory of 2752	3904	cmd.exe	146
PID 3904 wrote to memory of 2752	3904	cmd.exe	146
PID 2752 wrote to memory of 4996	2752	csrss.exe	147
PID 2752 wrote to memory of 4996	2752	csrss.exe	147
PID 4996 wrote to memory of 2872	4996	cmd.exe	149
PID 4996 wrote to memory of 2872	4996	cmd.exe	149
PID 4996 wrote to memory of 4796	4996	cmd.exe	150
PID 4996 wrote to memory of 4796	4996	cmd.exe	150
PID 4796 wrote to memory of 360	4796	csrss.exe	151
PID 4796 wrote to memory of 360	4796	csrss.exe	151
PID 360 wrote to memory of 4156	360	cmd.exe	153
PID 360 wrote to memory of 4156	360	cmd.exe	153
PID 360 wrote to memory of 1184	360	cmd.exe	154
PID 360 wrote to memory of 1184	360	cmd.exe	154
PID 1184 wrote to memory of 4284	1184	csrss.exe	155
PID 1184 wrote to memory of 4284	1184	csrss.exe	155
PID 4284 wrote to memory of 1360	4284	cmd.exe	157
PID 4284 wrote to memory of 1360	4284	cmd.exe	157

C:\Users\Admin\AppData\Local\Temp\2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe
"C:\Users\Admin\AppData\Local\Temp\2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\it-IT\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\ja-JP\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\1041\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eSMsDQCmtw.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3152
      - C:\Windows\Microsoft.NET\Framework\1041\csrss.exe
        
        "C:\Windows\Microsoft.NET\Framework\1041\csrss.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4068
        
        C:\Windows\Microsoft.NET\Framework\1041\csrss.exe
        
        "C:\Windows\Microsoft.NET\Framework\1041\csrss.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2872
        
        C:\Windows\Microsoft.NET\Framework\1041\csrss.exe
        
        "C:\Windows\Microsoft.NET\Framework\1041\csrss.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4156
        
        C:\Windows\Microsoft.NET\Framework\1041\csrss.exe
        
        "C:\Windows\Microsoft.NET\Framework\1041\csrss.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1360
        
        C:\Windows\Microsoft.NET\Framework\1041\csrss.exe
        
        "C:\Windows\Microsoft.NET\Framework\1041\csrss.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat"
        15⤵
        
        PID:4888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3576
        
        C:\Windows\Microsoft.NET\Framework\1041\csrss.exe
        
        "C:\Windows\Microsoft.NET\Framework\1041\csrss.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat"
        17⤵
        
        PID:4924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1336
        
        C:\Windows\Microsoft.NET\Framework\1041\csrss.exe
        
        "C:\Windows\Microsoft.NET\Framework\1041\csrss.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat"
        19⤵
        
        PID:1540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:68
        
        C:\Windows\Microsoft.NET\Framework\1041\csrss.exe
        
        "C:\Windows\Microsoft.NET\Framework\1041\csrss.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat"
        21⤵
        
        PID:3164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4772
        
        C:\Windows\Microsoft.NET\Framework\1041\csrss.exe
        
        "C:\Windows\Microsoft.NET\Framework\1041\csrss.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat"
        23⤵
        
        PID:2660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1272
        
        C:\Windows\Microsoft.NET\Framework\1041\csrss.exe
        
        "C:\Windows\Microsoft.NET\Framework\1041\csrss.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat"
        25⤵
        
        PID:2528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4700
        
        C:\Windows\Microsoft.NET\Framework\1041\csrss.exe
        
        "C:\Windows\Microsoft.NET\Framework\1041\csrss.exe"
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"
        27⤵
        
        PID:776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\tmp\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\ja-JP\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\Help\ja-JP\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\ja-JP\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Common Files\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Help\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\Framework\1041\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\1041\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\Framework\1041\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\tmp\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\assembly\tmp\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\tmp\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteApps\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\RemoteApps\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a81d90ef709f3b36f54ad538741a61e2

SHA1
8d5055d4a14d1c7bf656ef9a10a4214c9beab57b

SHA256
fb02699f40cb9496170b42e975b55ec735170c4e04b33cb4018375afc18dda8d

SHA512
a51c16c20c649e6696047417dd8797c33f8b9a3e8b0753699e69b2759d923b9a2a3abd1de1b4d843779f3e41aae0433eb2c3582be7fa1d7bb38791d380194d11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a81d90ef709f3b36f54ad538741a61e2

SHA1
8d5055d4a14d1c7bf656ef9a10a4214c9beab57b

SHA256
fb02699f40cb9496170b42e975b55ec735170c4e04b33cb4018375afc18dda8d

SHA512
a51c16c20c649e6696047417dd8797c33f8b9a3e8b0753699e69b2759d923b9a2a3abd1de1b4d843779f3e41aae0433eb2c3582be7fa1d7bb38791d380194d11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cca714f154d362fe9bf0aac437b9f979

SHA1
3310322b74a5cff769aff7b0b421c1d688633be1

SHA256
6c0fde4a1d14c75cbf6cae68617191384d1c9c0f75ca7659b98361b93d17ba70

SHA512
2c1712c4dd670993f15a24b9ec7e35c78ad1bf95075807977e47d1774ee9887202cb954c84c011c63c6cd3f17fdf1782329b6309bb36424519b3688365652f59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cca714f154d362fe9bf0aac437b9f979

SHA1
3310322b74a5cff769aff7b0b421c1d688633be1

SHA256
6c0fde4a1d14c75cbf6cae68617191384d1c9c0f75ca7659b98361b93d17ba70

SHA512
2c1712c4dd670993f15a24b9ec7e35c78ad1bf95075807977e47d1774ee9887202cb954c84c011c63c6cd3f17fdf1782329b6309bb36424519b3688365652f59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8aaebeccdd3e56786045084ec83bedef

SHA1
39850c5bd2141d159faa61d31abafa49cba0712f

SHA256
1c51406412fc912ad5bfbe7e5724f2c4e6e36bfb45fc2eb66d3f9bf97df15602

SHA512
5389d273f11d7ae44a922f370acdf212a4be9a91fc60e64fe7b13fab2b5e95a665533ad768c18d7d2d567c023415d73cba170480fdc9fcddd2a95d760a5b043e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
65ae8d50fd4cdc48accacb20e8db4c9c

SHA1
330e73447589c6d57cfa6772e5627cdc842ac60c

SHA256
3b8591794deac5143ad9a9299b9b85e63edb9278d11d071f20c1b5a845b7fb09

SHA512
e63cbaba665bb41522f773e74c81d4b560e6184538b61b454f42b7ff1c07f9e25f44242872a285887d518d2fe7334bb680f3860167906169c8bf59ebc893ec9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
827c1100b1092253c4d2d82d5555bb4f

SHA1
d60f664ffe2f8045c1ebb42d39b4ef34518c91f5

SHA256
800a25c3dc9c0f58e3a9ba4fb21cb1da50d988a126974206a58e76cee214c53e

SHA512
f0de75e18c2d9c955b767d98138d0b7c169e0ec28f109a14718bafde4f28cf1d227df8733922f873102afe3b74c9043fa5073bd317e9060e06fa0ccd17a70a4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7e25387c9be4623e468444016a019e91

SHA1
524a6cf87386a76ad64ba86cedd0ab30659891c2

SHA256
7cb1bcca2c1ab28d85e44743e3487f7d0e0221a435714fee0e3232aa159b8d42

SHA512
99e8c4e1d89cd13e22cfc265d63b085d7e214bcc227271e0da9db10ee5beecd18fe7bce4257e437b3d22f52afb060a2a10d791a040d293ff6e7c107df79a5454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7965a6154e0be4e9a18e40d77815332a

SHA1
114bcb028f7384511ea78418c2c169a49d629c5c

SHA256
53528e920296f1c0832881304e0c7f385b8abe77d697474b8f0b92e3b0855de4

SHA512
63ee923d86d6f1661cbd209efbefdd353ec2703c30dfe01868bbbe315a7aff8f19d81ce1585fe27359ee3a97ca2ca9883d6d71b988f0d65349025d5f063409c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4270a878267427a88c258d77363d29e0

SHA1
d60eecac53280cbf47efc494f28319f50e00d3da

SHA256
038e3b539c5f99182cd7102eebe330698eefa38b8d2e476d78bbdf5cd410b330

SHA512
0b17e51fb21bc1f18a9c923ffcc3bebead0da614ccf8e7855894fe7eecface68bb30212bed9b44fd21bce3739d5427c0efcf947da07998c6dba23dedccb78ef1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4270a878267427a88c258d77363d29e0

SHA1
d60eecac53280cbf47efc494f28319f50e00d3da

SHA256
038e3b539c5f99182cd7102eebe330698eefa38b8d2e476d78bbdf5cd410b330

SHA512
0b17e51fb21bc1f18a9c923ffcc3bebead0da614ccf8e7855894fe7eecface68bb30212bed9b44fd21bce3739d5427c0efcf947da07998c6dba23dedccb78ef1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
384fbb79c0805f26fc24f7aff8fa33c3

SHA1
df6b2f502b2d50a5566adc6c96318cb35c4492ce

SHA256
94730219567770df05076d081a277f5b9c48d0758ca4408ed68223e9468296a5

SHA512
742818e18049a82ee203a68ca9d7d21f73096ab7cd491fab7a8530de7987eeedd9e973e4a88001a709ac2ff65453adc8ade914176a607923ea10747796b9a917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ccad0e779c749654d7f1e699f517932f

SHA1
b2d1a828580aa7f6de8e2dc488b43c6d0a5d5a92

SHA256
8a95b995545196cc1d7e63926f65d67e2cd73c882f4e0e8707a0e91294b59bdf

SHA512
5045360c47cd710ce4a933c1497a2391dc37a47c88636644cc8c0bacadcc84dc08d8cf38a69f89a32eb1373fd9d186bb50a1eacaabdc393ddbff98ff68abc2d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat

Filesize
214B

MD5
56f2b3d84d83540564240dd853d6fd50

SHA1
939a1b9e32432c359003a5004afea630cb151a42

SHA256
634314ceaa34ac2dfd774cea426af3e4fb93bacc394fcfe9510ecb0f64d267e7

SHA512
e614df456714925e939a3b589a099ca48e09716c3f7ff6e94d3c12d1991903964a4a16224e127a97b43bc94b45aaed70d175424a42999d60685ba92775154528

Download Submit
C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat

Filesize
214B

MD5
72e81824a1062d4f0eb1398422851183

SHA1
12e941d84f921045a748782565ed509ba2585895

SHA256
26dc6481ea1da47423dbd4db9664b6435fa22d4397ab08a778f6bfe093a97d14

SHA512
2c53250177cefda6f7069310d8233a0127045deabc4d6c7633040fd7bbced42ceb5e4fd45fc1701eb506a6469c41c59fa6b39a91b167051caed3a9076e03f95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat

Filesize
214B

MD5
72e81824a1062d4f0eb1398422851183

SHA1
12e941d84f921045a748782565ed509ba2585895

SHA256
26dc6481ea1da47423dbd4db9664b6435fa22d4397ab08a778f6bfe093a97d14

SHA512
2c53250177cefda6f7069310d8233a0127045deabc4d6c7633040fd7bbced42ceb5e4fd45fc1701eb506a6469c41c59fa6b39a91b167051caed3a9076e03f95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat

Filesize
214B

MD5
a8d6a9b313fb97db799487c8b6eb6a51

SHA1
f3306d304f22c5a2f84cff917ab85e07b79d6bdb

SHA256
9e9f33f02f477da1bbcda3f5ad4535ede056a96553e33241b8f25dbd895e2354

SHA512
5ae1fce80fa9d4199d5dfe11e3888bc4643d2d092b2d02f5eb6d5d28b8432bd72d1ddf8297e605027c34900b4da9b37a99ee68450dd160c5a0126c99d3ce8e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat

Filesize
214B

MD5
156bd16643b7251f3a454af8702c9cf2

SHA1
4404d0a51092f29c1945c6de7345ab4e47ee3393

SHA256
2d4927b67e07a55d4547dbd53ab7ff325481511d28c15a23ad82438fd60baed3

SHA512
33561771d71c179712d4d5fb1f4e07779cf0d5edff9b32aef77d41ea1e846aa347029146fb04c34bd4a802d2e0bc5ec4d658fedb5ddad9359fbc4c74b7909388

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

Filesize
214B

MD5
7a3942377055e0c776ac166617b5c4ac

SHA1
5c6d13d0f950e8669b22b363fc09be8c856eb12b

SHA256
a8d00b7924ee5f9362f632571126b566d941a12137db94f81e4f97c26c723f27

SHA512
265c25432f96795a1ca46f160486c611c3eecb028e686c17eb2fae8d45b04dec65e4429744ce811fc43bfe3ad963f239fb35583219e4345f6dabb954fbd6d9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat

Filesize
214B

MD5
42446141793907d65988daae4266994a

SHA1
190d35c46ed4a862f628bd03163d6722464fa417

SHA256
d400f327cf7aa4f62c5d9666c8bfa7d2b60bfa93b333f53b880c9eca13489968

SHA512
c8db145c71502bddeda22647cd77884deb6f662367f2e72efe0666d729768cbb4b5dc9f5a8fa8dc49630e86ff65e47a4e2d263d5e67f44726e414b6c80a6f100

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSMsDQCmtw.bat

Filesize
214B

MD5
5ab55c650977dd1292ecb77ef1a1bef8

SHA1
734c44720e9bb480e1ff53ecbe9b510becad9e47

SHA256
ab997109019960697e4cab5b5d3fc8f656c19ed2b1961c0b9a427e913e052572

SHA512
f1e35846e581f8601564355922daffb966d6294b833937a28da28ec870b260482cc305e741549d853f91026e2dfabac1c8e90b5f6699e5666c913e40511b174f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat

Filesize
214B

MD5
c68f307321fc04b52a367ca8ba44c0ff

SHA1
f5da60fec605a8cffc4fc02228ee09a074a29d4b

SHA256
af4120e54b392e1ae08842665b777d3f60c1683e00b4ae38e80d622e85bcb489

SHA512
11775302cc94de5995c3d9a4abfe871288cd2abeb2b700778dc900623afb42bc83110ddd5d6297746831a9c9eac6d58ad9b3e36e84670eb281e2f583644971c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat

Filesize
214B

MD5
c68f307321fc04b52a367ca8ba44c0ff

SHA1
f5da60fec605a8cffc4fc02228ee09a074a29d4b

SHA256
af4120e54b392e1ae08842665b777d3f60c1683e00b4ae38e80d622e85bcb489

SHA512
11775302cc94de5995c3d9a4abfe871288cd2abeb2b700778dc900623afb42bc83110ddd5d6297746831a9c9eac6d58ad9b3e36e84670eb281e2f583644971c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat

Filesize
214B

MD5
723fe45c3d07b21fce9b0ff53738d530

SHA1
60dc3cc3cf4e12e47a563c43c9d29bf68432f54f

SHA256
77fc40ff606f219af25620d12560b54ec4ab41f780c53d6525709758a4818df9

SHA512
54383270b9a324286e8472ba9cdd1325588b126bddbdecd0a384b8acef6d60dcca309ce71b11e8472716ed0417a0a0f8be4dd7b51444aca047e4db8b731b5c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat

Filesize
214B

MD5
e9cdf4a8684c33c4f97b4d22e9eccc50

SHA1
c143d7e1acee2c8d875691204541d0a9252480fa

SHA256
c07e5d4f7ddfdedf9f09c00d7abb8e4be4745e05086300bf5a79e1afd30f4f93

SHA512
1e5bcea135fa1ec9af5e8754055df1e4ce348dc1b1485a4b348de629de1ddf6eb8afb648678e9c176f2fcad1c4bcab58a3b2c4a44126a5cb18027008b83a80db

Download Submit
C:\Windows\Microsoft.NET\Framework\1041\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Microsoft.NET\Framework\1041\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Microsoft.NET\Framework\1041\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Microsoft.NET\Framework\1041\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Microsoft.NET\Framework\1041\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Microsoft.NET\Framework\1041\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Microsoft.NET\Framework\1041\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Microsoft.NET\Framework\1041\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Microsoft.NET\Framework\1041\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Microsoft.NET\Framework\1041\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Microsoft.NET\Framework\1041\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Microsoft.NET\Framework\1041\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1184-802-0x0000000000D20000-0x0000000000D32000-memory.dmp

Filesize
72KB

Download
memory/2140-646-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download
memory/2684-159-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-136-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-116-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-117-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-118-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-120-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-121-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-124-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-123-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-125-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-126-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-127-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-178-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-177-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-176-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-128-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-174-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-129-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-130-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-131-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-175-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-173-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-132-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-133-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-134-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-172-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-135-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-138-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-171-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-170-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-168-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-167-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-137-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-169-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-139-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-166-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-165-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-164-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-163-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-162-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-161-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-160-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-115-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-157-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-158-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-156-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-155-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-154-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-152-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-140-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-153-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-151-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-141-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-142-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-150-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-143-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-149-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-144-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-147-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-148-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-145-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2684-146-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2752-388-0x000002D166C90000-0x000002D166D06000-memory.dmp

Filesize
472KB

Download
memory/2752-791-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/3168-355-0x000002884D920000-0x000002884D942000-memory.dmp

Filesize
136KB

Download
memory/3564-285-0x0000000002CB0000-0x0000000002CBC000-memory.dmp

Filesize
48KB

Download
memory/3564-284-0x00000000012A0000-0x00000000012AC000-memory.dmp

Filesize
48KB

Download
memory/3564-283-0x0000000001290000-0x000000000129C000-memory.dmp

Filesize
48KB

Download
memory/3564-282-0x0000000001270000-0x0000000001282000-memory.dmp

Filesize
72KB

Download
memory/3564-281-0x0000000000A60000-0x0000000000B70000-memory.dmp

Filesize
1.1MB

Download
memory/5072-180-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/5072-181-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download