dcrat | fcc15aae2b7a7846ce4e88062bed5f03f042f9578e4dd0f20da677b2f6f37d43

Analysis

max time kernel
144s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 18:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fcc15aae2b7a7846ce4e88062bed5f03f042f9578e4dd0f20da677b2f6f37d43.exe
Size

1.3MB
MD5

57bd7653d075cb62c39362830308a4a3
SHA1

8db3535113a574086d5a6fd43ec04eeac8c21acf
SHA256

fcc15aae2b7a7846ce4e88062bed5f03f042f9578e4dd0f20da677b2f6f37d43
SHA512

678045e0108687b1d4710307d08068c1bab0ef87f5420a8e4efe6b2911cdf2a10624f30c64333ec6a33cb309c5fbb6fc521d90954ec645855a5a973a5ae4a748
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	96	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	3668	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	3668	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac12-284.dat	dcrat
behavioral1/files/0x000800000001ac12-285.dat	dcrat
behavioral1/memory/3572-286-0x00000000004A0000-0x00000000005B0000-memory.dmp	dcrat
behavioral1/files/0x000800000001ac12-603.dat	dcrat
behavioral1/files/0x000900000001ac53-743.dat	dcrat
behavioral1/files/0x000900000001ac53-745.dat	dcrat
behavioral1/files/0x000900000001ac53-867.dat	dcrat
behavioral1/files/0x000900000001ac53-873.dat	dcrat
behavioral1/files/0x000900000001ac53-878.dat	dcrat
behavioral1/files/0x000900000001ac53-884.dat	dcrat
behavioral1/files/0x000900000001ac53-889.dat	dcrat
behavioral1/files/0x000900000001ac53-894.dat	dcrat
behavioral1/files/0x000900000001ac53-900.dat	dcrat
behavioral1/files/0x000900000001ac53-905.dat	dcrat
behavioral1/files/0x000900000001ac53-910.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
3572	DllCommonsvc.exe
2872	DllCommonsvc.exe
4928	csrss.exe
5500	csrss.exe
5688	csrss.exe
5868	csrss.exe
6048	csrss.exe
4728	csrss.exe
3236	csrss.exe
208	csrss.exe
3260	csrss.exe
4228	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\ClientX64\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\root\fre\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\root\fre\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\DllCommonsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Maps\explorer.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Resources\Maps\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Maps\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\Speech\Common\fr-FR\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\es-ES\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\es-ES\e6c9b481da804f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4632	schtasks.exe
4812	schtasks.exe
5004	schtasks.exe
4764	schtasks.exe
3068	schtasks.exe
5016	schtasks.exe
4692	schtasks.exe
4708	schtasks.exe
4072	schtasks.exe
96	schtasks.exe
4204	schtasks.exe
4244	schtasks.exe
1880	schtasks.exe
4104	schtasks.exe
4972	schtasks.exe
3140	schtasks.exe
1876	schtasks.exe
3912	schtasks.exe
4048	schtasks.exe
3832	schtasks.exe
3268	schtasks.exe
2064	schtasks.exe
4492	schtasks.exe
1576	schtasks.exe
4828	schtasks.exe
4644	schtasks.exe
4724	schtasks.exe
4824	schtasks.exe
4816	schtasks.exe
4576	schtasks.exe
3952	schtasks.exe
3260	schtasks.exe
3276	schtasks.exe
4616	schtasks.exe
3140	schtasks.exe
5096	schtasks.exe
4544	schtasks.exe
784	schtasks.exe
4840	schtasks.exe
2492	schtasks.exe
3120	schtasks.exe
5084	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fcc15aae2b7a7846ce4e88062bed5f03f042f9578e4dd0f20da677b2f6f37d43.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	csrss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3572	DllCommonsvc.exe
3288	powershell.exe
3960	powershell.exe
3288	powershell.exe
3960	powershell.exe
3960	powershell.exe
3288	powershell.exe
3288	powershell.exe
520	powershell.exe
520	powershell.exe
3960	powershell.exe
520	powershell.exe
2316	powershell.exe
2316	powershell.exe
4868	powershell.exe
4868	powershell.exe
520	powershell.exe
2284	powershell.exe
2284	powershell.exe
4780	powershell.exe
4780	powershell.exe
4228	powershell.exe
4228	powershell.exe
4228	powershell.exe
216	powershell.exe
216	powershell.exe
216	powershell.exe
696	powershell.exe
696	powershell.exe
4780	powershell.exe
3128	powershell.exe
3128	powershell.exe
3128	powershell.exe
2316	powershell.exe
3940	powershell.exe
3940	powershell.exe
1328	powershell.exe
1328	powershell.exe
2284	powershell.exe
4868	powershell.exe
3940	powershell.exe
696	powershell.exe
1328	powershell.exe
4228	powershell.exe
216	powershell.exe
4780	powershell.exe
3128	powershell.exe
2316	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3572	DllCommonsvc.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeIncreaseQuotaPrivilege	3288	powershell.exe
Token: SeSecurityPrivilege	3288	powershell.exe
Token: SeTakeOwnershipPrivilege	3288	powershell.exe
Token: SeLoadDriverPrivilege	3288	powershell.exe
Token: SeSystemProfilePrivilege	3288	powershell.exe
Token: SeSystemtimePrivilege	3288	powershell.exe
Token: SeProfSingleProcessPrivilege	3288	powershell.exe
Token: SeIncBasePriorityPrivilege	3288	powershell.exe
Token: SeCreatePagefilePrivilege	3288	powershell.exe
Token: SeBackupPrivilege	3288	powershell.exe
Token: SeRestorePrivilege	3288	powershell.exe
Token: SeShutdownPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeSystemEnvironmentPrivilege	3288	powershell.exe
Token: SeRemoteShutdownPrivilege	3288	powershell.exe
Token: SeUndockPrivilege	3288	powershell.exe
Token: SeManageVolumePrivilege	3288	powershell.exe
Token: 33	3288	powershell.exe
Token: 34	3288	powershell.exe
Token: 35	3288	powershell.exe
Token: 36	3288	powershell.exe
Token: SeIncreaseQuotaPrivilege	3960	powershell.exe
Token: SeSecurityPrivilege	3960	powershell.exe
Token: SeTakeOwnershipPrivilege	3960	powershell.exe
Token: SeLoadDriverPrivilege	3960	powershell.exe
Token: SeSystemProfilePrivilege	3960	powershell.exe
Token: SeSystemtimePrivilege	3960	powershell.exe
Token: SeProfSingleProcessPrivilege	3960	powershell.exe
Token: SeIncBasePriorityPrivilege	3960	powershell.exe
Token: SeCreatePagefilePrivilege	3960	powershell.exe
Token: SeBackupPrivilege	3960	powershell.exe
Token: SeRestorePrivilege	3960	powershell.exe
Token: SeShutdownPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeSystemEnvironmentPrivilege	3960	powershell.exe
Token: SeRemoteShutdownPrivilege	3960	powershell.exe
Token: SeUndockPrivilege	3960	powershell.exe
Token: SeManageVolumePrivilege	3960	powershell.exe
Token: 33	3960	powershell.exe
Token: 34	3960	powershell.exe
Token: 35	3960	powershell.exe
Token: 36	3960	powershell.exe
Token: SeIncreaseQuotaPrivilege	520	powershell.exe
Token: SeSecurityPrivilege	520	powershell.exe
Token: SeTakeOwnershipPrivilege	520	powershell.exe
Token: SeLoadDriverPrivilege	520	powershell.exe
Token: SeSystemProfilePrivilege	520	powershell.exe
Token: SeSystemtimePrivilege	520	powershell.exe
Token: SeProfSingleProcessPrivilege	520	powershell.exe
Token: SeIncBasePriorityPrivilege	520	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 3024	1148	fcc15aae2b7a7846ce4e88062bed5f03f042f9578e4dd0f20da677b2f6f37d43.exe	66
PID 1148 wrote to memory of 3024	1148	fcc15aae2b7a7846ce4e88062bed5f03f042f9578e4dd0f20da677b2f6f37d43.exe	66
PID 1148 wrote to memory of 3024	1148	fcc15aae2b7a7846ce4e88062bed5f03f042f9578e4dd0f20da677b2f6f37d43.exe	66
PID 3024 wrote to memory of 4500	3024	WScript.exe	67
PID 3024 wrote to memory of 4500	3024	WScript.exe	67
PID 3024 wrote to memory of 4500	3024	WScript.exe	67
PID 4500 wrote to memory of 3572	4500	cmd.exe	69
PID 4500 wrote to memory of 3572	4500	cmd.exe	69
PID 3572 wrote to memory of 3288	3572	DllCommonsvc.exe	107
PID 3572 wrote to memory of 3288	3572	DllCommonsvc.exe	107
PID 3572 wrote to memory of 3960	3572	DllCommonsvc.exe	115
PID 3572 wrote to memory of 3960	3572	DllCommonsvc.exe	115
PID 3572 wrote to memory of 520	3572	DllCommonsvc.exe	109
PID 3572 wrote to memory of 520	3572	DllCommonsvc.exe	109
PID 3572 wrote to memory of 4868	3572	DllCommonsvc.exe	110
PID 3572 wrote to memory of 4868	3572	DllCommonsvc.exe	110
PID 3572 wrote to memory of 216	3572	DllCommonsvc.exe	112
PID 3572 wrote to memory of 216	3572	DllCommonsvc.exe	112
PID 3572 wrote to memory of 2316	3572	DllCommonsvc.exe	116
PID 3572 wrote to memory of 2316	3572	DllCommonsvc.exe	116
PID 3572 wrote to memory of 2284	3572	DllCommonsvc.exe	117
PID 3572 wrote to memory of 2284	3572	DllCommonsvc.exe	117
PID 3572 wrote to memory of 4228	3572	DllCommonsvc.exe	118
PID 3572 wrote to memory of 4228	3572	DllCommonsvc.exe	118
PID 3572 wrote to memory of 4780	3572	DllCommonsvc.exe	121
PID 3572 wrote to memory of 4780	3572	DllCommonsvc.exe	121
PID 3572 wrote to memory of 3128	3572	DllCommonsvc.exe	122
PID 3572 wrote to memory of 3128	3572	DllCommonsvc.exe	122
PID 3572 wrote to memory of 696	3572	DllCommonsvc.exe	123
PID 3572 wrote to memory of 696	3572	DllCommonsvc.exe	123
PID 3572 wrote to memory of 3940	3572	DllCommonsvc.exe	127
PID 3572 wrote to memory of 3940	3572	DllCommonsvc.exe	127
PID 3572 wrote to memory of 1328	3572	DllCommonsvc.exe	131
PID 3572 wrote to memory of 1328	3572	DllCommonsvc.exe	131
PID 3572 wrote to memory of 3788	3572	DllCommonsvc.exe	133
PID 3572 wrote to memory of 3788	3572	DllCommonsvc.exe	133
PID 3788 wrote to memory of 4984	3788	cmd.exe	135
PID 3788 wrote to memory of 4984	3788	cmd.exe	135
PID 3788 wrote to memory of 2872	3788	cmd.exe	137
PID 3788 wrote to memory of 2872	3788	cmd.exe	137
PID 2872 wrote to memory of 2348	2872	DllCommonsvc.exe	144
PID 2872 wrote to memory of 2348	2872	DllCommonsvc.exe	144
PID 2872 wrote to memory of 1256	2872	DllCommonsvc.exe	145
PID 2872 wrote to memory of 1256	2872	DllCommonsvc.exe	145
PID 2872 wrote to memory of 4548	2872	DllCommonsvc.exe	146
PID 2872 wrote to memory of 4548	2872	DllCommonsvc.exe	146
PID 2872 wrote to memory of 4928	2872	DllCommonsvc.exe	150
PID 2872 wrote to memory of 4928	2872	DllCommonsvc.exe	150
PID 4928 wrote to memory of 2852	4928	csrss.exe	151
PID 4928 wrote to memory of 2852	4928	csrss.exe	151
PID 2852 wrote to memory of 5248	2852	cmd.exe	153
PID 2852 wrote to memory of 5248	2852	cmd.exe	153
PID 2852 wrote to memory of 5500	2852	cmd.exe	154
PID 2852 wrote to memory of 5500	2852	cmd.exe	154
PID 5500 wrote to memory of 5612	5500	csrss.exe	155
PID 5500 wrote to memory of 5612	5500	csrss.exe	155
PID 5612 wrote to memory of 5668	5612	cmd.exe	157
PID 5612 wrote to memory of 5668	5612	cmd.exe	157
PID 5612 wrote to memory of 5688	5612	cmd.exe	158
PID 5612 wrote to memory of 5688	5612	cmd.exe	158
PID 5688 wrote to memory of 5792	5688	csrss.exe	159
PID 5688 wrote to memory of 5792	5688	csrss.exe	159
PID 5792 wrote to memory of 5848	5792	cmd.exe	161
PID 5792 wrote to memory of 5848	5792	cmd.exe	161

C:\Users\Admin\AppData\Local\Temp\fcc15aae2b7a7846ce4e88062bed5f03f042f9578e4dd0f20da677b2f6f37d43.exe
"C:\Users\Admin\AppData\Local\Temp\fcc15aae2b7a7846ce4e88062bed5f03f042f9578e4dd0f20da677b2f6f37d43.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Maps\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\root\fre\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\es-ES\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJNh9tiUQX.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3788
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4984
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        
        PID:2348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\csrss.exe'
        7⤵
        
        PID:1256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\powershell.exe'
        7⤵
        
        PID:4548
        
        C:\Users\Admin\Saved Games\csrss.exe
        
        "C:\Users\Admin\Saved Games\csrss.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5248
        
        C:\Users\Admin\Saved Games\csrss.exe
        
        "C:\Users\Admin\Saved Games\csrss.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:5668
        
        C:\Users\Admin\Saved Games\csrss.exe
        
        "C:\Users\Admin\Saved Games\csrss.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5848
        
        C:\Users\Admin\Saved Games\csrss.exe
        
        "C:\Users\Admin\Saved Games\csrss.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat"
        14⤵
        
        PID:5972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:6028
        
        C:\Users\Admin\Saved Games\csrss.exe
        
        "C:\Users\Admin\Saved Games\csrss.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat"
        16⤵
        
        PID:4236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3456
        
        C:\Users\Admin\Saved Games\csrss.exe
        
        "C:\Users\Admin\Saved Games\csrss.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat"
        18⤵
        
        PID:5228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:764
        
        C:\Users\Admin\Saved Games\csrss.exe
        
        "C:\Users\Admin\Saved Games\csrss.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
        20⤵
        
        PID:384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1804
        
        C:\Users\Admin\Saved Games\csrss.exe
        
        "C:\Users\Admin\Saved Games\csrss.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat"
        22⤵
        
        PID:4048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1756
        
        C:\Users\Admin\Saved Games\csrss.exe
        
        "C:\Users\Admin\Saved Games\csrss.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"
        24⤵
        
        PID:948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4500
        
        C:\Users\Admin\Saved Games\csrss.exe
        
        "C:\Users\Admin\Saved Games\csrss.exe"
        25⤵
        Executes dropped EXE
        
        PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Maps\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Resources\Maps\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Maps\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\root\fre\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\fre\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\root\fre\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\es-ES\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:96

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Admin\Videos\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Videos\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
b4268d8ae66fdd920476b97a1776bf85

SHA1
f920de54f7467f0970eccc053d3c6c8dd181d49a

SHA256
61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879

SHA512
03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7ef42224b883426040cc91e66545cb2c

SHA1
b7d11210d117ab6e6b220bb93daf39a89bcfcd80

SHA256
be73c3ff3160cd7a81ed6b4caace27c9032bc5f1b6f8359a8627467f8c8efb11

SHA512
57e2cd15518a2ce0197eb7ffda21065b40a8d47727bcd09e8dcb25a7fa7022cb327f33c1f2adf4e37386c8f5a1041097fa806bd75c5040a0ce1e28344860c7dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
332adf59e645e407e3142de1a79bae34

SHA1
046754729373e4919c6488153404b60084648d22

SHA256
7dbffce2e32b1f9de86a113423ccdc470edb5276653d3785c8dd9b28719afb5c

SHA512
83dea09d223385cc28b860e0e1ce96cfa7ade752538227c5811c561b5dfdf96be47760bf9bb3d3ea4f0c573983c3d4b8e9069c9ae5816202f705c7bc2a15c122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4b3a7f38cc47ec0638026dd9ccbd4c0

SHA1
bf1b2098b4ed949c40cedd8e716879af695c4f33

SHA256
0be0019c621612e34862a0a2ddfe70ce9a1182c3ea5fb9b51a39af1a0ade5c7b

SHA512
8f56dc5055e8c7e965386cc6ad44b4940ab73aa458e33b0205087b354c77bec8f01aa5fa0caa69c5d06718aeeba3575b2906e8ece08aa9dee98b6d5becc17490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
705a829c905315d7f26458531dc325b8

SHA1
9d3500fa0cdb3ebd0d118da488fc4cd6ea53365f

SHA256
19aadfc7b22d96f58e679f764bc59cc177094bb8720d6611edc93a5ababee5cd

SHA512
2837913ec3b9277149a4b11f29e5faaadfb94ce7f1868731655b1116512ba4b9fc7051f00d682d4296debef43c58f81cf2faeb708bd1018d812e0ed2e53fcba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
891bb7bd44348f69a38805b6aeedfbde

SHA1
0f24f723d872861e374ebeea409a54274812015d

SHA256
14bc1caa1b4caf16dbe44ed1afb126c7c9985c981a031412c01235132b0967b4

SHA512
31b3909e10e6889c5641721a104cb00cf999fb80c41cef6a22ba2997f43b6064db342e2c0a11b7862b6a92bd7929be245444e69c73bb0106be973bd8306f83de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
891bb7bd44348f69a38805b6aeedfbde

SHA1
0f24f723d872861e374ebeea409a54274812015d

SHA256
14bc1caa1b4caf16dbe44ed1afb126c7c9985c981a031412c01235132b0967b4

SHA512
31b3909e10e6889c5641721a104cb00cf999fb80c41cef6a22ba2997f43b6064db342e2c0a11b7862b6a92bd7929be245444e69c73bb0106be973bd8306f83de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
937d43a1a3c75a2c04312fd5704e9d17

SHA1
8f19d74c15667df9710b294f382a2b029e7cfff5

SHA256
bad0b90a4699cd3a87971dac74452a86bda6ba7cf5f8cb34bb343b7eafa6941e

SHA512
3990238c2a75eb83c46cb1cbf404addf92762697c24ba8443368e614e5759df9d0a5425198f1e2fc55b1ba080b3d5698d5c7914f286a420da06a35257552ef40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
937d43a1a3c75a2c04312fd5704e9d17

SHA1
8f19d74c15667df9710b294f382a2b029e7cfff5

SHA256
bad0b90a4699cd3a87971dac74452a86bda6ba7cf5f8cb34bb343b7eafa6941e

SHA512
3990238c2a75eb83c46cb1cbf404addf92762697c24ba8443368e614e5759df9d0a5425198f1e2fc55b1ba080b3d5698d5c7914f286a420da06a35257552ef40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
937d43a1a3c75a2c04312fd5704e9d17

SHA1
8f19d74c15667df9710b294f382a2b029e7cfff5

SHA256
bad0b90a4699cd3a87971dac74452a86bda6ba7cf5f8cb34bb343b7eafa6941e

SHA512
3990238c2a75eb83c46cb1cbf404addf92762697c24ba8443368e614e5759df9d0a5425198f1e2fc55b1ba080b3d5698d5c7914f286a420da06a35257552ef40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
115bfa5af2f256dce598db08c87baa26

SHA1
a45bb07fe2605942227b222177f33d5b69eea667

SHA256
de0202652aa5781dc4df187c924a1c75a06ebd17bfb08899a75ee738b5f1b77b

SHA512
911f24fc565edf2753f3cb3e86f5db259b4a0bc8f9d8785db345648a82e7bcbffa3da031b7024b3fc3a48c9afdc0c0351b25b9b68de68a3d1ed7f2af341e86b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
115bfa5af2f256dce598db08c87baa26

SHA1
a45bb07fe2605942227b222177f33d5b69eea667

SHA256
de0202652aa5781dc4df187c924a1c75a06ebd17bfb08899a75ee738b5f1b77b

SHA512
911f24fc565edf2753f3cb3e86f5db259b4a0bc8f9d8785db345648a82e7bcbffa3da031b7024b3fc3a48c9afdc0c0351b25b9b68de68a3d1ed7f2af341e86b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c620f0a4c818817b195c5d97434a855e

SHA1
d5446277d2f5ffef2b7e250e58b7d4114609e951

SHA256
2cd42b861b9751922d99dcea50a5d68e907d7d15c4a04098aba02a61a6eafeca

SHA512
a6508080b496604ff8f40b50c87eb83f13f563ab3a1a763d3010b9580542d96d037e80a5b795640350c523c8336400bf4bf25a07bbee9821886c49c962e842e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3df03b7292eeda72e97180e347b03cf3

SHA1
6dcf07eba6cbefa06b5ca7cc458e2e87d18fb750

SHA256
a3b2aa06d843fcb2399f1d529737e59b2beeb20519bd80035c2033dac646a52f

SHA512
1d458b231c87f3a70031284430a63553e2739e9bd406d8a04a4f9d9b19ab4f97b4e785b41e2e530321767e8d7f6c12c2299078335491dfb205669f749ab29cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
215a607f8fcdb06a208b19b31da13623

SHA1
060aaa3971f0596a29ec9ba8d7a613851f9e12a1

SHA256
17419027ff16ad5c1d2124c34b5e0408155cc99229226749c633ee0d0dd30d5d

SHA512
498cb93be8d62a1562c53d816f650067840e7668c9215667a4665e407d32e6062cbfece1f30f1871bf58c5be6ec41fd7e3561adc45309e41295456c71dc7ba91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
215a607f8fcdb06a208b19b31da13623

SHA1
060aaa3971f0596a29ec9ba8d7a613851f9e12a1

SHA256
17419027ff16ad5c1d2124c34b5e0408155cc99229226749c633ee0d0dd30d5d

SHA512
498cb93be8d62a1562c53d816f650067840e7668c9215667a4665e407d32e6062cbfece1f30f1871bf58c5be6ec41fd7e3561adc45309e41295456c71dc7ba91

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat

Filesize
201B

MD5
e3baebed7b92e80900c8cd489817b39b

SHA1
ba3b50588e54d56942eda0a099bbfa09ab3aaa92

SHA256
55b1b26ea690a41624846d12227490557005c7105ded6381b18c0fb2e045f71f

SHA512
e0757e6ba05044fe33522a2c4d9e87a8298a8d0002afee7393c167e3438f053b728936705c18ba49d749139559c4057d3612200bc3fa4eef33dc233abb8ebcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat

Filesize
201B

MD5
79694ea58525b0efde33e5a3be7bef3d

SHA1
7e0af1d59af3d9491d949bb235c6438137059bc8

SHA256
a0c7652617757c82b9c470605c111c8a0b162ea1a9972e47238c717506ca8b71

SHA512
c4a5e1a7349c421a6daaa9ac57a739e89e85ab0d55d1b692a49ecaa98acde92a01b0aa86ea9e35e1edbc168d79bb0f11df22f1f769d02b23bfe3386ac601bd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

Filesize
201B

MD5
7aaa3d5585f82e54ecee345d6cab2c76

SHA1
78bfb78d741f8c7e1154a0f65ff24bc836d9aab6

SHA256
dcf6177c3e6bc4c754b0e762dcb1904efe681466dc70d8464ba28c3e578c4b5e

SHA512
bb719097365c2b6f9baeb072031f71f483831422bb4c1089cfe0b5163ca0f1ef9791fc671dc5680f2ccf7c5f96e09ba9e5627409884491432072a1621eeda841

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat

Filesize
201B

MD5
9e5d3e9ac5fd2d21b8f72d3b0d267f9b

SHA1
3af7704dd6df3804409bd184c53607c4c052b681

SHA256
36d6e42865c3eb6bc727379db86c2541efeb5c0ec3e991597b86dcffb0011938

SHA512
8af2c90b66a1e07c7d0172e60970c0e5936533a14c0be7dd854645bf782de2b82c5a7e30b600f2c1758b89f9d745114e339c7e6233305f3995dfe1a49c95c41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat

Filesize
201B

MD5
2ed868dcbdbd8b8ed613a6dd2770f7de

SHA1
ffaf18de9fdbf0c7c0e97961c5c14e073c333c11

SHA256
0f2b3869b571cf965238d338a7b38f370a023b13b1f63ca17ab24169708c28ba

SHA512
ce8cb1e897665b0faf20dda97e592cd6ce16b45cd7efcc89c2ed1488628d009cea16447945b142c6d29dff2db74cff4a0e0be418ecea723438ea0902c80a8b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat

Filesize
201B

MD5
21de9ce798f10f976091d2cfafbfa432

SHA1
d69056a5274101587480ebe19f15fa86f3f59d90

SHA256
060d94c7bb189e82ab166f4ce98e602f53fb29ddff7304a78e625450108fd2ff

SHA512
02501677c51c59fea3b4358c80591ff978fa6bc37e0516831fa017d3ab5216d28e0716e7a3c1f012bc1745c66e385fff9c964597bf702a9d1dbadfc84e00bd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat

Filesize
201B

MD5
17942e3f5545e9acab93445b40a3a824

SHA1
368db358298a5e834650e60384983cfa6565ae25

SHA256
a01b3a2db49ff6f10707440dfb4aa7c5f7fa26ac2430dd28f1906baee8644018

SHA512
1a14e5363c25bc261194e3d462eb175d66068e9d46b412de1c59c4bdf1b3d69f65cf9e1961cae874113a243c716ddffdd5eb28ad88447ecb8f9e33231d6b3b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat

Filesize
201B

MD5
ae73a376897e0761b38889fdd6390f23

SHA1
9b939b1424e8cc4584050847b6d237813fc1302c

SHA256
db4097acb757b74f350d593b025019381c78381f629fb8aeeb6fc779c573d911

SHA512
14e5550006c61604e17c90a1d31ed5cb4bfea81be221ca557a90b7ff7afd90ced212c1284996a6547c570a67e3921e62f8756edba47b340f3c612642e3369d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat

Filesize
201B

MD5
928bd871ddfa5e142534a24f299b4c5d

SHA1
25ad59eee53e12f58a9138b2b7204474ac232ddd

SHA256
856e18c41c725fa58ccd170634bd9a5aa096f8596acdc116f3878e1e857689a4

SHA512
f3cff933024c15a6fb381dc2c0714800ee2ce06de2ae9c70086b2bd0e309976f543b5174ce1480a6cb7965a9a6580b6238c818ebdea9fb4a610ff95abe177f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hJNh9tiUQX.bat

Filesize
199B

MD5
91c177335f1c563547ec48e7cc65c14f

SHA1
aa53bf9cb6e247ca896c06ee9b332666fb01498e

SHA256
489c2551be47a566cc891ee6a2bd345f6e89ea05721531bb99d8365a3048a2d8

SHA512
c0d5122c98b47c612150444513dd0a8a0c870c04e8db5664a06a002d8bddd9c2d5caabdd8fd431b9df64143d4d60aa70b352668a02c70c484e19cba87a89d077

Download Submit
C:\Users\Admin\Saved Games\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Saved Games\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Saved Games\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Saved Games\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Saved Games\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Saved Games\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Saved Games\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Saved Games\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Saved Games\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Saved Games\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Saved Games\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1148-164-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-137-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-175-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-176-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-177-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-178-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-179-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-180-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-181-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-182-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-183-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-121-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-122-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-123-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-172-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-173-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-125-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-126-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-171-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-170-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-128-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-129-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-130-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-131-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-132-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-133-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-169-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-134-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-135-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-136-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-174-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-168-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-138-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-139-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-140-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-141-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-142-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-167-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-143-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-144-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-166-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-145-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-146-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-147-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-165-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-120-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-148-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-149-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-150-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-151-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-152-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-163-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-162-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-153-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-161-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-154-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-160-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-159-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-158-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-157-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-156-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1148-155-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2872-675-0x00000000026D0000-0x00000000026E2000-memory.dmp

Filesize
72KB

Download
memory/3024-186-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3024-185-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/3236-895-0x0000000000BF0000-0x0000000000C02000-memory.dmp

Filesize
72KB

Download
memory/3288-354-0x000001CE884B0000-0x000001CE884D2000-memory.dmp

Filesize
136KB

Download
memory/3288-360-0x000001CEA07E0000-0x000001CEA0856000-memory.dmp

Filesize
472KB

Download
memory/3572-286-0x00000000004A0000-0x00000000005B0000-memory.dmp

Filesize
1.1MB

Download
memory/3572-287-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download
memory/3572-288-0x0000000000E60000-0x0000000000E6C000-memory.dmp

Filesize
48KB

Download
memory/3572-289-0x0000000000E70000-0x0000000000E7C000-memory.dmp

Filesize
48KB

Download
memory/3572-290-0x0000000002630000-0x000000000263C000-memory.dmp

Filesize
48KB

Download
memory/5868-879-0x00000000010E0000-0x00000000010F2000-memory.dmp

Filesize
72KB

Download